Analysis Overview
SHA256
bccfea0aa1f93962c5e794076f9a1da37fa67114cf88809a3f65f6ae8bb44655
Threat Level: Known bad
The file FNknoxV1 (1).rar was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Quasar RAT
Blankgrabber family
Quasar payload
Command and Scripting Interpreter: PowerShell
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
Checks SCSI registry key(s)
Detects videocard installed
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 21:25
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 21:25
Reported
2024-06-27 21:46
Platform
win10v2004-20240226-en
Max time kernel
1190s
Max time network
1203s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Driver.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2364 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 21:25
Reported
2024-06-27 21:46
Platform
win7-20240611-en
Max time kernel
839s
Max time network
840s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe |
| PID 2000 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe |
| PID 2000 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe | C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe
"C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe"
C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe
"C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20002\python311.dll
| MD5 | 9e985651962ccbccdf5220f6617b444f |
| SHA1 | 9238853fe1cff8a49c2c801644d6aa57ed1fe4d2 |
| SHA256 | 3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e |
| SHA512 | 8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36 |
memory/2636-24-0x000007FEF5EC0000-0x000007FEF64A9000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-27 21:25
Reported
2024-06-27 21:46
Platform
win10v2004-20240508-en
Max time kernel
1199s
Max time network
1205s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe
"C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe"
C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe
"C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FNknoxV1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUa67jtDM2qz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3068 -ip 3068
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 2252
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0IIdjYbLYUgI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1824 -ip 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uDULYFO0J4bf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIOzMbbUU0Gf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2684 -ip 2684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 2192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqFIKuBzffvn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5064 -ip 5064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q5NnnJn6cjlU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3228 -ip 3228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\System32\fruvan.exe
"C:\Windows\System32\fruvan.exe"
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6jsuI89MXr3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4528 -ip 4528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 2188
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\System32\fruvan.exe
"C:\Windows\System32\fruvan.exe"
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcT8ZthW7tFP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2540 -ip 2540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3R2z0V5suMqI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BJKF6I3YPas.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1220 -ip 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 2164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNQGLvr8nr3p.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2424 -ip 2424
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAMeC3vrYiGu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 940 -ip 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wZdY4nQMyr7A.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3040 -ip 3040
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xh0zHQegmQvX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1324 -ip 1324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7MAipkniJZ1e.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5XTv8pCT2Dnh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 396 -ip 396
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEkg0rMdxeAY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2320 -ip 2320
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 2216
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ed0bscs9Nm1p.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4312 -ip 4312
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3VZ1gnJWtrzQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4336 -ip 4336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 2192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7ztKUkRVeDz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4824 -ip 4824
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1944
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQqFiW4eN4wC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3968 -ip 3968
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 2148
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6SY4v3OQMDuN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1312 -ip 1312
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIve8Pw5fUC9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4000 -ip 4000
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D97Z6DzHOeE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4092 -ip 4092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VXrmmvDPlo81.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiBz40cAUTu4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2540 -ip 2540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cbjixjlbZeE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5024 -ip 5024
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LU5LF1IYI7Dm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yi8PSkPQw7sM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27OJKVuvMFic.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3696 -ip 3696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSviJ34fMUuJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4696 -ip 4696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 2216
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umdNWr36qvO6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dINeAScTcImS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1164 -ip 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DDc7b9tMEBDX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3916 -ip 3916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1680
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOvKuFI8xqza.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2248 -ip 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 2244
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPoPK2SaQBHr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1996 -ip 1996
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dukwCsqefjxK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4704 -ip 4704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2DTbPgq49AS7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 2212
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYz0OF0o9Pdn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UBDcpfc3G0YH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3696 -ip 3696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w4pcgsZJrIbX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4128 -ip 4128
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9kn41wsfuFOX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4140 -ip 4140
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f67DoFCiQIG8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4508 -ip 4508
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2184
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lb3kf5amgrxb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4312 -ip 4312
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1936
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZDzCF37DqML.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 2244
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ojiSiaHZQhSU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 312 -ip 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pr6tvDVtEGGs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o2P6EIufxv2v.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1324 -ip 1324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2216
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKzj7Osx24Fw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N1GUzQ37xUco.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1712 -ip 1712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uzQjVaVTVT1Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEHWV2mefHN2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1708 -ip 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PW45axEIjBgC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3080 -ip 3080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAP4MXD0kW5O.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4052 -ip 4052
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2220
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcQp8vQc5zoB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4088 -ip 4088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 2216
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UJB0GjuHekI5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1056 -ip 1056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1928
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hz9TbnDchh55.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1488 -ip 1488
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-tsmxp.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | blank-tsmxp.in | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | blank-tsmxp.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | hanekez.ddns.net | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI23882\python311.dll
| MD5 | 9e985651962ccbccdf5220f6617b444f |
| SHA1 | 9238853fe1cff8a49c2c801644d6aa57ed1fe4d2 |
| SHA256 | 3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e |
| SHA512 | 8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/1572-26-0x00007FF80FF90000-0x00007FF810579000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI23882\base_library.zip
| MD5 | 5011d68fbea0156fe813d00c1f7d9af2 |
| SHA1 | d76d817cac04d830707ce97b4d0d582a988e1dbd |
| SHA256 | b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d |
| SHA512 | 6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_ctypes.pyd
| MD5 | d603c8bfe4cfc71fe5134d64be2e929b |
| SHA1 | ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b |
| SHA256 | 5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe |
| SHA512 | fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\unicodedata.pyd
| MD5 | f86f9b7eb2cb16fb815bb0650d9ef452 |
| SHA1 | b9e217146eb6194fc38923af5208119286c365ad |
| SHA256 | b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a |
| SHA512 | 6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\sqlite3.dll
| MD5 | 08ce33649d6822ff0776ede46cc65650 |
| SHA1 | 941535dabdb62c7ca74c32f791d2f4b263ec7d48 |
| SHA256 | 48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595 |
| SHA512 | 8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_ssl.pyd
| MD5 | 0d15b2fdfa03be76917723686e77823c |
| SHA1 | efd799a4a5e4f9d15226584dd2ee03956f37bdaf |
| SHA256 | 2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8 |
| SHA512 | e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_sqlite3.pyd
| MD5 | 230025cf18b0c20c5f4abba63d733ca8 |
| SHA1 | 336248fde1973410a0746599e14485d068771e30 |
| SHA256 | 30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332 |
| SHA512 | 2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_queue.pyd
| MD5 | 4a313dc23f9d0a1f328c74dd5cf3b9ab |
| SHA1 | 494f1f5ead41d41d324c82721ab7ca1d1b72c062 |
| SHA256 | 2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e |
| SHA512 | 42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_socket.pyd
| MD5 | 67897f8c3262aecb8c9f15292dd1e1f0 |
| SHA1 | 74f1ef77dd3265846a504f98f2e2f080eadbf58a |
| SHA256 | ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7 |
| SHA512 | 200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_lzma.pyd
| MD5 | 01629284f906c40f480e80104158f31a |
| SHA1 | 6ab85c66956856710f32aed6cdae64a60aea5f0f |
| SHA256 | a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812 |
| SHA512 | 107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_hashlib.pyd
| MD5 | 32df18692606ce984614c7efda2eec27 |
| SHA1 | 86084e39ab0aadf0ecfb82ce066b7bf14152961e |
| SHA256 | b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065 |
| SHA512 | 679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_decimal.pyd
| MD5 | 9cef71be6a40bc2387c383c217d158c7 |
| SHA1 | dd6bc79d69fc26e003d23b4e683e3fac21bc29cb |
| SHA256 | 677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009 |
| SHA512 | 90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_bz2.pyd
| MD5 | 554b7b0d0daca993e22b7d31ed498bc2 |
| SHA1 | ea7f1823e782d08a99b437c665d86fa734fe3fe4 |
| SHA256 | 1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f |
| SHA512 | 4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\select.pyd
| MD5 | 27703f9a7c7e90e049d5542fb7746988 |
| SHA1 | bc9c6f5271def4cc4e9436efa00f231707c01a55 |
| SHA256 | fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38 |
| SHA512 | 0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\libssl-1_1.dll
| MD5 | ad0a2b4286a43a0ef05f452667e656db |
| SHA1 | a8835ca75768b5756aa2445ca33b16e18ceacb77 |
| SHA256 | 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1 |
| SHA512 | cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\libcrypto-1_1.dll
| MD5 | bbc1fcb5792f226c82e3e958948cb3c3 |
| SHA1 | 4d25857bcf0651d90725d4fb8db03ccada6540c3 |
| SHA256 | 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47 |
| SHA512 | 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\bound.blank
| MD5 | e2ea33ad0d02a26e0ff8808b5d68a447 |
| SHA1 | 677ca033e1629177d581c77c5b803dad5659769c |
| SHA256 | d51f9626fe92c694153b82ca035867b10ed24d0a66d3e6c9eddc4ef659193969 |
| SHA512 | 7fb23bb8dfec21033e35c62eb18379e8934fc079dfc53ffd8f9a9225139c3eeb413116c5202a78fb0478e1ab146e09dcb42812ae1870bcd40f156da7639b654b |
C:\Users\Admin\AppData\Local\Temp\_MEI23882\blank.aes
| MD5 | bdba7b4eeab7225552baa389c0a2bea8 |
| SHA1 | a3525f1065ab07fe3cd6016b8239e54566080720 |
| SHA256 | 300315ce6a2b32e5aad54f1497858bd91132e6544ff46d1941f7ace281d94071 |
| SHA512 | 37762e31b19ce3730e214a3a7935ff1159c3949faa56fb9fcbcd322e34caa09761dcaa50898aaeb0d3b7d923c109634e078bbbc66b669fb4bdbb4ee972bd6972 |
memory/1572-33-0x00007FF818D30000-0x00007FF818D3F000-memory.dmp
memory/1572-32-0x00007FF811410000-0x00007FF811433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI23882\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/1572-56-0x00007FF810D80000-0x00007FF810DAD000-memory.dmp
memory/1572-58-0x00007FF816570000-0x00007FF816589000-memory.dmp
memory/1572-60-0x00007FF810D50000-0x00007FF810D73000-memory.dmp
memory/1572-62-0x00007FF810AB0000-0x00007FF810C20000-memory.dmp
memory/1572-65-0x00007FF813F00000-0x00007FF813F19000-memory.dmp
memory/1572-66-0x00007FF816760000-0x00007FF81676D000-memory.dmp
memory/1572-73-0x00007FF810710000-0x00007FF8107C8000-memory.dmp
memory/1572-72-0x00007FF810D20000-0x00007FF810D4E000-memory.dmp
memory/1572-71-0x00007FF80FF90000-0x00007FF810579000-memory.dmp
memory/1572-74-0x00007FF801800000-0x00007FF801B79000-memory.dmp
memory/1572-76-0x00000193AF0E0000-0x00000193AF459000-memory.dmp
memory/1572-78-0x00007FF813E60000-0x00007FF813E74000-memory.dmp
memory/1572-75-0x00007FF811410000-0x00007FF811433000-memory.dmp
memory/1572-83-0x00007FF80FE70000-0x00007FF80FF8C000-memory.dmp
memory/1572-80-0x00007FF814480000-0x00007FF81448D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 523f4dab1ab2ff7017bc036f47a577e3 |
| SHA1 | c3bcae39908b77689f4fe349bbe429b95ad88549 |
| SHA256 | 4e8e816b8223232b324c97746cb05abc4981e825a6927e6f627bf8ca7363af33 |
| SHA512 | 7580dd993b5ec7d4dfa12a11e69f5c87afa4eb2d8cc47813a4b8a7af16fa5439b30bd9c6eededb881b9e395d824b6315e97150b1b815f6627f6d7b08d2dc3b3b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5sgwqgu.pnr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3032-87-0x000001F4EC4C0000-0x000001F4EC4E2000-memory.dmp
memory/3068-115-0x0000000000970000-0x00000000009CE000-memory.dmp
memory/3068-116-0x00000000058B0000-0x0000000005E54000-memory.dmp
memory/3068-117-0x0000000005300000-0x0000000005392000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/3068-125-0x00000000053A0000-0x0000000005406000-memory.dmp
memory/3068-126-0x00000000061E0000-0x00000000061F2000-memory.dmp
memory/1572-127-0x00007FF810D50000-0x00007FF810D73000-memory.dmp
memory/1572-128-0x00007FF810AB0000-0x00007FF810C20000-memory.dmp
memory/1572-138-0x00007FF810D20000-0x00007FF810D4E000-memory.dmp
memory/1572-144-0x00007FF813F00000-0x00007FF813F19000-memory.dmp
memory/1572-140-0x00007FF801800000-0x00007FF801B79000-memory.dmp
memory/1572-139-0x00007FF810710000-0x00007FF8107C8000-memory.dmp
memory/1572-143-0x00007FF80FE70000-0x00007FF80FF8C000-memory.dmp
memory/1572-129-0x00007FF80FF90000-0x00007FF810579000-memory.dmp
memory/1572-130-0x00007FF811410000-0x00007FF811433000-memory.dmp
memory/3704-145-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-147-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-146-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-157-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-156-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-155-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-154-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-153-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-152-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/3704-151-0x00000239AC130000-0x00000239AC131000-memory.dmp
memory/1572-158-0x00000193AF0E0000-0x00000193AF459000-memory.dmp
memory/1572-159-0x00007FF80FF90000-0x00007FF810579000-memory.dmp
\??\c:\programdata\microsoft\windows\start menu\programs\startup\ .scr
| MD5 | 127d96c8d795e8420ee8e1e178b6dfe9 |
| SHA1 | e8db8d8577ac74a60de1afb5350b63fa8e49d045 |
| SHA256 | 2ecbcb10d1027d3c8b3288d6d73010163631e3f578fe0d3ab996400dd9474e06 |
| SHA512 | f98eb6fdb763b0ab062a4a3f1d2a17fade1fd8e937bbd34f2c3fed8bd50de1dae57f75c0c67b533b09d6e86cf35fcc0bf8a6755103f0a76dcc7ea63f315acbe1 |
memory/3068-189-0x0000000006CD0000-0x0000000006CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jUa67jtDM2qz.bat
| MD5 | 63a07d435cab744047c51e9b2f1f1f5e |
| SHA1 | 30f27781597d408323632dfcaa788ea30b9cf75c |
| SHA256 | e7ae4ae4f38c387d73aec2e43a1bf8b94e9ad0d79b58e430de1fd59a3c58ec9d |
| SHA512 | eb46bfacd92613a458e13fe7e4382cf22242153b58c8bcb8b842f56626182e3ed842d8fbad031be9580a455fcccdd4d73043cd35f6c81e066cb71b90d66d184b |
memory/1572-194-0x00007FF80FF90000-0x00007FF810579000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | b18719ff46d7d31ba9c047d7229b7b09 |
| SHA1 | 83d7bbe334197e6434805e965b8a47eb279e7990 |
| SHA256 | 4525777171352961bdd8d6a55ea5d2859e7acdc7ba4716dea9e33c869a10c134 |
| SHA512 | 91e9607b27267d07142a6140e2e35d6b4b3a0be9c5f0f87601df28f69a10cd0a84207f47d67473f98ba446edd8cb9791e8443622b379da04d5790ae74c9e5697 |
C:\Users\Admin\AppData\Local\Temp\0IIdjYbLYUgI.bat
| MD5 | 7ac7650614de72c7ec371bfa7ee6abbf |
| SHA1 | b05e0cdbf1010435ee7ccac3fa74de3ef57500e9 |
| SHA256 | 4a71b44b61ccacedcfa6ee50777641f7cd29f45c43333019ce920cac99b71e19 |
| SHA512 | d5ebca00eab11a28a720b7a3e3f66e50fb1791645f57742bd930b50ffba2da34115b84e624db4825d69f954748843c5539b741d707a6f1852b0165bc74b606dd |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 9c291e91927594e09ba44938b91b0029 |
| SHA1 | 4bf3c8fd934b0f4fe1e77f4fa1b9ad0dbcaa8908 |
| SHA256 | b01bac284b2404ae9d9de963d3c9f363fe7b233bcbfdbea544d459fd8b1acaef |
| SHA512 | 99977438b6cea4ba01f6938ec4f484072cb8fbef3b7ad4bcb458efc076df55b608428413a6d06c65ba58ee100848cf6ef3fcfe8243e57ea4cb83489731128d4d |
C:\Users\Admin\AppData\Local\Temp\uDULYFO0J4bf.bat
| MD5 | 16a19964b44db151a728799402ffc373 |
| SHA1 | 8c4cd2a37538c76fdbc6c6fa80adada27f3fc8f3 |
| SHA256 | 2109399b5c378e97d306706c63e1337e87e6f7a2f7e5f1664f88a718d6fa8e32 |
| SHA512 | 88631eb81367c5d9d7ec868d8717c5c04199b05ea697c760dd754d1baac19064b523a312951cfc762afa4579cafe60e14e0021f5a46d804e2db09fe85b62c622 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 61b906075aa8ef37d92e7e8f23099745 |
| SHA1 | cfd9623686b27a7c612b7b1ce802d1db15b2bb72 |
| SHA256 | 23d20f80edfa2f51d8f70255a1561b2265f8973f6eaa8156919a0fd37f8a8357 |
| SHA512 | d115565c1458a6fb1572cf56a27bbdfea2650142a55dc6a8345eab6caf78c8766e5f6f26e44431fa9c94147dc8d6ad611eed7c085cda5a77240db4e1723f6efb |
C:\Users\Admin\AppData\Local\Temp\iIOzMbbUU0Gf.bat
| MD5 | 6abae4f912618b8f9dac6ab969db7fea |
| SHA1 | 2b9affd9c7afc8f69be829995d14841efc03a87e |
| SHA256 | 4db76ee177a02916d58322d10f728f63fa75ac240d5bb0b3cc8676627ce6962b |
| SHA512 | 78ceec42a792984b4d8de880883daafc6f3644917b9a5c79d36cdc13d2c0a19939995d0cadfbbdc3726e9f511359671e01b92c89590efb09c7080a7916402760 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | e0a3e9e1300132a262e64788535773e6 |
| SHA1 | 7b075ffdc79b6fc4f774505b91c50976e2bedcec |
| SHA256 | a5c6e393f9bd83ed41640b8f8f2d823af04ba98e9e550f71f3f927843dab1357 |
| SHA512 | a641cbda603fd8611fe7465b80e9a946fdd6efa332f8965dcfbaac96cc3eeee748b48a24ddae4f2ea4a480bec0fdb90982c72fa324054da9e92d15bec1f1c20b |
C:\Users\Admin\AppData\Local\Temp\MqFIKuBzffvn.bat
| MD5 | e30af9a88f43805f7eeb09c14728cb09 |
| SHA1 | 10e8864754aecae64d0a348177bc40b10c92e374 |
| SHA256 | 0b431f64114015f365d7bf373144cd777e51701d9d1e023dc03d361115167b7a |
| SHA512 | e2dcec08ab5f82b3a8a421edf1cfb8235066cc2fb88c67ef8d025eb6a0906a10948de20d79b615558e5a73ba3180f30e73927422378f1de8fc61fce71953762c |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | fac68d06a45a4257fbab3372ff33d1e6 |
| SHA1 | 28f9de13723999371c73ff2c308dba533264ca51 |
| SHA256 | d02f9d2771c7c5cf3a3694a4166e02d7587f4d81dea9cf0b49bb27bbba70169b |
| SHA512 | 4c0786d44809192abf537d6f490e3b9f137053540e816ae95c047d8df78ef7464edbf567f5ac31b678f84d32cb659103e71f7c0f7acf9c4f68179438afd8cc69 |
C:\Users\Admin\AppData\Local\Temp\Q5NnnJn6cjlU.bat
| MD5 | 750646fee73b3bdebef3b0c62fd624ac |
| SHA1 | b43ec7a621ba74bcdf91fc4b228717d35d67573e |
| SHA256 | 051c538ff29b69748f1bad5b729bbdaecd1b8daf3e56a0326ec27c24755c41cb |
| SHA512 | 345598d23d2811000c18f1a5ad1b5db5818921302561a6817865e1bfaf295dae944c83db0a6235d205d4b6ef4480b0913500a04d957067cf947295eb84390c25 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 56436379c01473512724f0d88753ea73 |
| SHA1 | 8b3d58f103c246660cfa9ed010f230b9bc22cc75 |
| SHA256 | 6d0325c2a63d79fd2be3180ae0f6d32675fbea05f03ff471f7e5bb162be14a7b |
| SHA512 | df19cd131fdf5a90fbe6b2966f27d95512f52c6da6eacd9eef9179955233fb6ac6d5600d94b51e44bafe756a3d144b64ca96d98bd8466d82904e8d7284febb58 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-27 21:25
Reported
2024-06-27 21:46
Platform
win10v2004-20240611-en
Max time kernel
1180s
Max time network
1192s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mciavi32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-27 21:25
Reported
2024-06-27 21:46
Platform
win10v2004-20240508-en
Max time kernel
1166s
Max time network
1168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\spwizimg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |