Analysis Overview
SHA256
4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43
Threat Level: Known bad
The file 4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Quasar RAT
Quasar family
Amadey
Modifies firewall policy service
Windows security bypass
Phorphiex payload
Asyncrat family
Detect Xworm Payload
Quasar payload
Njrat family
Xworm family
Modifies security service
Phorphiex family
AsyncRat
Amadey family
Cryptbot family
Modifies Windows Defender Real-time Protection settings
CryptBot
njRAT/Bladabindi
Phorphiex, Phorpiex
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Downloads MZ/PE file
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Identifies Wine through registry keys
Windows security modification
Reads data files stored by FTP clients
Loads dropped DLL
Checks computer location settings
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Suspicious use of SetThreadContext
Drops autorun.inf file
Enumerates processes with tasklist
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Program crash
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Gathers network information
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
System policy modification
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 19:44
Reported
2024-11-17 19:47
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
CryptBot
Cryptbot family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\seetrol\client\SeetrolClient.exe = "C:\\Program Files (x86)\\seetrol\\client\\SeetrolClient.exe:*:Enabled:SeetrolClient" | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\sysarddrvs.exe | N/A |
Njrat family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
Xworm
Xworm family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysarddrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysarddrvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe" | C:\Users\Admin\AppData\Local\Temp\Files\11.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Local\\Google Chrome.exe" | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe" | C:\Users\Admin\AppData\Local\Temp\Files\1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Files\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\curlapp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\curlapp64.exe" | C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2100 set thread context of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\meta.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\068\dfmirage.dll | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\105\dfmirage.cat | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\sthooks.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\STUpdate.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\mdph.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\SeetrolClient.cfg | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\Install.cmd | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\068\dfmirage.cat | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.dll | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.dll | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\sas.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\MirrInst32.exe | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\068\dfmirage.sys | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\Uninstall.cmd | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\068\dfmirage.inf | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\STClientChat.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\dtph.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\MirrInst64.exe | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\105\dfmirage.inf | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| File created | C:\Windows\sysarddrvs.exe | C:\Users\Admin\AppData\Local\Temp\Files\11.exe | N/A |
| File opened for modification | C:\Windows\sysarddrvs.exe | C:\Users\Admin\AppData\Local\Temp\Files\11.exe | N/A |
| File created | C:\Windows\sysklnorbcv.exe | C:\Users\Admin\AppData\Local\Temp\Files\1.exe | N/A |
| File opened for modification | C:\Windows\sysklnorbcv.exe | C:\Users\Admin\AppData\Local\Temp\Files\1.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\444.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\seo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysklnorbcv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysarddrvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1" | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
"C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe"
C:\Users\Admin\AppData\Local\Temp\Files\444.exe
"C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe"
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
"C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
"C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
C:\Users\Admin\AppData\Local\Temp\Files\game.exe
"C:\Users\Admin\AppData\Local\Temp\Files\game.exe"
C:\Users\Admin\AppData\Local\Temp\Files\meta.exe
"C:\Users\Admin\AppData\Local\Temp\Files\meta.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Users\Admin\AppData\Local\Temp\Files\11.exe
"C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Windows\sysarddrvs.exe
C:\Windows\sysarddrvs.exe
C:\Users\Admin\AppData\Local\Temp\Files\w.exe
"C:\Users\Admin\AppData\Local\Temp\Files\w.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google Chrome.exe'
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
C:\Users\Admin\AppData\Local\Temp\Files\seo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\seo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Users\Admin\AppData\Local\Temp\Files\1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 419591
C:\Windows\SysWOW64\findstr.exe
findstr /V "SAVEDBEDFLESHPROVIDED" Waves
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J
C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif
Predicted.pif J
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\Admin\AppData\Local\Google Chrome.exe"
C:\Windows\sysklnorbcv.exe
C:\Windows\sysklnorbcv.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | documents-elegant.at.ply.gg | udp |
| US | 209.25.141.194:54835 | documents-elegant.at.ply.gg | tcp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 8.8.8.8:53 | www.xn--on3b15m2lco2u.com | udp |
| KR | 221.139.49.8:80 | www.xn--on3b15m2lco2u.com | tcp |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| VN | 103.110.33.188:80 | 103.110.33.188 | tcp |
| US | 8.8.8.8:53 | www.seetrol.com | udp |
| KR | 139.150.75.206:80 | www.seetrol.com | tcp |
| US | 8.8.8.8:53 | documents-elegant.at.ply.gg | udp |
| US | 209.25.141.194:54835 | documents-elegant.at.ply.gg | tcp |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| US | 209.25.141.194:54835 | documents-elegant.at.ply.gg | tcp |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| US | 209.25.141.194:54835 | documents-elegant.at.ply.gg | tcp |
| PL | 45.80.158.31:80 | tcp | |
| NL | 45.89.247.19:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| US | 209.25.141.194:54835 | documents-elegant.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.sumiyuki.co.jp | udp |
| JP | 103.14.15.37:443 | www.sumiyuki.co.jp | tcp |
| NL | 45.89.247.19:80 | tcp | |
| US | 8.8.8.8:53 | aeufoeahfouefhg.top | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| RU | 185.215.113.66:80 | aeufoeahfouefhg.top | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:49529 | tcp | |
| US | 8.8.8.8:53 | upload.vina-host.com | udp |
| VN | 125.212.220.95:443 | upload.vina-host.com | tcp |
| PL | 45.80.158.31:80 | tcp | |
| TR | 217.195.195.46:1604 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | unvdwl.com | udp |
| NL | 45.94.31.128:80 | unvdwl.com | tcp |
| US | 8.8.8.8:53 | VBSJYFEwZnGfeqPJmZz.VBSJYFEwZnGfeqPJmZz | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.215.113.66:80 | aeufoeahfouefhg.top | tcp |
| RU | 185.215.113.66:80 | aeufoeahfouefhg.top | tcp |
| N/A | 127.0.0.1:49682 | tcp | |
| N/A | 127.0.0.1:49686 | tcp | |
| TR | 217.195.195.46:1604 | tcp |
Files
memory/1992-0-0x000000007466E000-0x000000007466F000-memory.dmp
memory/1992-1-0x0000000001240000-0x0000000001248000-memory.dmp
memory/1992-2-0x0000000074660000-0x0000000074D4E000-memory.dmp
memory/1992-3-0x000000007466E000-0x000000007466F000-memory.dmp
memory/1992-4-0x0000000074660000-0x0000000074D4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCA91.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCAB4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Local\Temp\Files\444.exe
| MD5 | fb0bdd758f8a9f405e6af2358da06ae1 |
| SHA1 | 6c283ab5e49e6fe3a93a996f850a5639fc49e3f5 |
| SHA256 | 9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf |
| SHA512 | 71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253 |
memory/1292-120-0x000000006FA11000-0x000000006FA12000-memory.dmp
memory/1292-121-0x000000006FA10000-0x000000006FFBB000-memory.dmp
memory/1292-122-0x000000006FA10000-0x000000006FFBB000-memory.dmp
memory/1292-130-0x000000006FA10000-0x000000006FFBB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
| MD5 | bb63e746e54ae6a1ff2d5d01fc4b6c61 |
| SHA1 | b22879f1eb81aabb7cf37fd531f85724f84fdc09 |
| SHA256 | 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6 |
| SHA512 | a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42 |
\Users\Admin\AppData\Local\Temp\Files\client.exe
| MD5 | d57c5086ea166bc56e091761a43781ff |
| SHA1 | 16b7a96e3c43e82ca962bd94ae1898f796c9cd00 |
| SHA256 | dc08aa33da827c3199f3f0345606b97b83bc508239c4c24f02a78d6e996bca09 |
| SHA512 | 893a1fea55837f2cb7cca1a22ab18795c3fcf91edcdf506c269415b06257d17c8fc426b50a8aa2e4dd34de73cc8fe41711b3276b16499a56714aecd2b98cccda |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
| MD5 | 8b47aa48b7c1a24e0210d602f438c69d |
| SHA1 | 6732e01a8ab4170aab69fbefc32177b5bcf3986f |
| SHA256 | f1a702b948c083b48f2b8a03f52ba7682203409798387b7a9178d83639e8cba4 |
| SHA512 | 1d21f37a053754b71ad94042dd6e297b4b991bf07a7742bd45ba685ed045911ab029e4c6d223fb01ca95ffe17ac38468b9253b035de2cdfcb8bcdd5efb34c8ec |
memory/1960-186-0x00000000001C0000-0x00000000001DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe
| MD5 | 58b4ed8f98841fa40b8f796b52d1188d |
| SHA1 | 0f67de7c94295b1239d2f3a885e950013a229282 |
| SHA256 | 1eb86a3b7ab8fa8642af4f94a8bfce1b4a65867f5a177ae8147da96431e72770 |
| SHA512 | 308ceb774bc8129accb9bf418255aab7efa60dcbae0f5931117461062e49b77ddbcbf75a0d09f7492de6ace663f9b2f3ef9e984b11150a666c5a84730f36ace3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe
| MD5 | c3192af2dff9319b35ec48b6fe23b0ff |
| SHA1 | 3713858569b97f4044caf9f2e0f8ad5b6b2ef713 |
| SHA256 | aec05f916b60a80379a0ecde59749ec89beaa0d331e67846f172dbdce858f278 |
| SHA512 | dea78632c6e7d4b749982765857de3daab0ecd2a92ae38a7497d5bdfa6d56d7b8a2378a3043455b645526f67fcdebeaff09d5799c410b383e50e44fa46acd0cd |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STClientChat.exe
| MD5 | 7aef1cb0e581471da8382549441e73a7 |
| SHA1 | 3e2abe17e60e18890e631a4b4e421efd0478a69e |
| SHA256 | 16fea5a5ab725da533bf75b111ac8fd9c240f151015d2b1040d8abea551937fc |
| SHA512 | ad7d822612c5414830390a51b5d4144a3c349f1cbe389a1b265905263ee204b50a71b974b360dbb02c64924b3366d28fc2e840e014dae96ff05b6ab48458bac2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sthooks.dll
| MD5 | 4552dca24d26dd640f131e68ce8ba37c |
| SHA1 | d5b80dc90511e8aa5a25f10ebf2893ae146d84e6 |
| SHA256 | 18997169e6d07921bb724c9e6a5ab784bccab52f598c5cf0c166aa47db0c1c5a |
| SHA512 | c62a9203bc3edd46ba95a19291446af8dd8b436d7f152ea8b64faa07d6e08fcd7c740d9fb4b949c2c49c3fb9f5c7197421ec3a6dd212dc7b12bb6ddf5f80202f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sas.dll
| MD5 | 60c3820c4f56c77e3e8bece9d7a51842 |
| SHA1 | b1bda7390cc5515718a23fb95dab44e7436cf24c |
| SHA256 | c2904b2822b3c1b003a72f84d42ffbfdefd253f322c99b77cf8a950f37c716e6 |
| SHA512 | 474ddfbd8524163396a9335b25acb577cd12e87e9bdfa5ed7f4aa54a7d1cea17d94d001772cb76376b4f921b96bf3341011e94ade97aca76be942363ed92a6da |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe
| MD5 | 60190685605be1d7cdd4eec0c89dbb63 |
| SHA1 | a549a7d01a7f104fd88cbb927e60e8754ce2450b |
| SHA256 | 9a0756f31f56631f302a55b43279d8a839b2f1f64b87f232c93eee735855d37d |
| SHA512 | 85811baa6d95d37367fbd8574bd992538dceebe432b3ad5ae0ed041ef112951b75c166257a1560e7b78c1db9d835a87b4b88956b5ae64ac3e9447340edbe0b89 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUpdate.exe
| MD5 | 27d99e10488ef746e4a75064a60ff311 |
| SHA1 | d64e45d11402d80e46f3b322f482b2bed3dc3d74 |
| SHA256 | 7cc186ca6bfb3277b7e8495ee1af6ab6cb472a405a482eb054836d03c558cd4c |
| SHA512 | 4f1c906b7bbe8b349f36f104bea8a22735d73f0b9114b032ff40a0b44dce641ba513d593e4754fbcdbc17586e30d409fb9a8bdb760b3b052ddc7eac0349a6994 |
memory/1588-214-0x0000000000400000-0x0000000000727000-memory.dmp
memory/1948-213-0x0000000002BC0000-0x0000000002EE7000-memory.dmp
memory/1588-217-0x0000000001410000-0x0000000001737000-memory.dmp
memory/1948-222-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1588-238-0x0000000000400000-0x0000000000727000-memory.dmp
memory/1588-240-0x0000000001410000-0x0000000001737000-memory.dmp
memory/1588-241-0x0000000000400000-0x0000000000727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\game.exe
| MD5 | 49a4df6234a85f29ff15b8d58dcb995b |
| SHA1 | f85b7f5e5f4075a528a76c69052a3a772799c718 |
| SHA256 | 4b77e49987843ca290926630aa7e1bc0e29b84b094a44495898e490367af658e |
| SHA512 | 7a8ca5cae878bda825ba73478ec36844508e503c282ca9bdc3cc2013780f5cdb500a14f60d885b684a15ad2657c493da2d089db3d20e1a64e09ea4c376f719c9 |
memory/1992-254-0x0000000006DC0000-0x0000000007DBB000-memory.dmp
memory/2128-255-0x0000000000400000-0x00000000013FB000-memory.dmp
memory/1992-256-0x0000000006DC0000-0x0000000007DBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\533259084254
| MD5 | 183ef6943837f0064fdd0ec56ee6dc10 |
| SHA1 | 800978299feb14768c9ce5c1ea9c715657e4d55b |
| SHA256 | f220de3ef884233f16d7875aa15e998723edfdf2ced762185e3d6227b613943d |
| SHA512 | cb0b08d64802013444d3dc85152a2b956407ebd8338415e1d86fd3d044d2f6947c27803e2f6df601ab9bb136056f164c58ccfc2eb8d83a87bfc1b719baa3a669 |
\Users\Admin\AppData\Local\Temp\Files\meta.exe
| MD5 | 3aace51d76b16a60e94636150bd1137e |
| SHA1 | f6f1e069df72735cb940058ddfb7144166f8489b |
| SHA256 | b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955 |
| SHA512 | 95fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e |
memory/2240-269-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2240-271-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2240-270-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1588-272-0x0000000000400000-0x0000000000727000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
| MD5 | 703bea610f53655fa0014b93f0fa4b7e |
| SHA1 | a3caccfaeffc6c6c39644404ad93455d37f0cdab |
| SHA256 | 1dac4bd2e15c7e98e3e8c657e9f6463f6d4f7d6a1256a3270649bfa5154c9e73 |
| SHA512 | 9d083a762a23c05e9a084a6424a0852725ed4fb010b074416228034c4bbbbfce2bcfc9cf3e9f24f719d768cf8204eade9d3dcaf4a414c79fcb4b4f5af4986aeb |
\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
| MD5 | d4e3a11d9468375f793c4c5c2504a374 |
| SHA1 | 6dc95fc874fcadac1fc135fd521eddbdcb63b1c6 |
| SHA256 | 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d |
| SHA512 | 9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217 |
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
| MD5 | f9830df1dfdb31cec5e3bd9f892edc9a |
| SHA1 | 073e56d2fbef94dd6fdfc1ff1fe12ecc71736029 |
| SHA256 | 9c40291f6a315e70b45ad05f9671d7eea89ab14aecebf42ce9ba4c167509c9e5 |
| SHA512 | 5cffa490084da873f341b4b88c3b92d9b25d1ba9e9a28e5d249037c2cb3fa27348d4f2eb770e274c3bab47c69eaf942f118c25eca47b6216cff3c492c815a885 |
C:\Users\Admin\AppData\Local\Temp\Files\libcurl.dll
| MD5 | 18ce47f58b4c1a9cfc1edf7c8bf49b7c |
| SHA1 | e74d08ab06ed8200d7e674d8031d6df8250de8cb |
| SHA256 | 36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602 |
| SHA512 | 19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd |
\Users\Admin\AppData\Local\Temp\Files\zlib1.dll
| MD5 | f53d1efea4855da42da07de49d80ba68 |
| SHA1 | 920349f4bd5a5b8e77195c81e261dfa2177eb1ee |
| SHA256 | 7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037 |
| SHA512 | 5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd |
C:\Users\Admin\AppData\Local\Temp\Files\11.exe
| MD5 | e2e3268f813a0c5128ff8347cbaa58c8 |
| SHA1 | 4952cbfbdec300c048808d79ee431972b8a7ba84 |
| SHA256 | d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3 |
| SHA512 | cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc |
\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 12ac7eecca99175c8953b8368d96440e |
| SHA1 | aa6fcf14c66644111d1160a6dd4cdb67c58e709a |
| SHA256 | 9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49 |
| SHA512 | 5d5f775b32182c6aab302462a2b8e9a2d608f232df2dc02c3826405e4a3a46ef040e8249feaf2133dee3ed3f111aeb4e884fdb4edae743dbc6e255c40eb51c9e |
memory/2924-377-0x0000000000A30000-0x0000000000A4A000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\w.exe
| MD5 | d4826d365cf4dd98966196f868817394 |
| SHA1 | 2d17bf67b0a179b2f32a3f6e57c960a9eae42be5 |
| SHA256 | 2ab6b6abe9e3f1d24bf8606a675915e600413c8a9089de5ae3606b595a70aab5 |
| SHA512 | 6269bd39c8682aa9e22422c162034de84cbf1d82ff46c25c7dd04a60759d88958b1ac7e4488f315b4e5e4a3b173af1132eedd741ce99265c6d1c4fab9f94d180 |
memory/2848-392-0x00000000008B0000-0x00000000008C2000-memory.dmp
memory/2880-397-0x000000001B710000-0x000000001B9F2000-memory.dmp
memory/2880-398-0x00000000027F0000-0x00000000027F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e37a1e4218c45dd3749cc7da47db6e54 |
| SHA1 | bf200693a91b981127a38feedb33f565ad20886c |
| SHA256 | 061b9caad8266d15436f628b07f4292f059dcd07febd2b8469ecfa207b991241 |
| SHA512 | 76f17ffcfee1da7a500b1175d9c8dedd9795639beaeb781aef446fcc2e14d2e9d0beb4fc894ca817159f0a283e41663845837cec234988c1a15d24890e33c396 |
memory/1296-404-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/1296-405-0x0000000002810000-0x0000000002818000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2148-414-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/2148-415-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\1.exe
| MD5 | a775d164cf76e9a9ff6afd7eb1e3ab2e |
| SHA1 | 0b390cd5a44a64296b592360b6b74ac66fb26026 |
| SHA256 | 794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979 |
| SHA512 | 80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808 |
memory/1928-442-0x0000000000400000-0x0000000001064000-memory.dmp
memory/1796-458-0x0000000077240000-0x000000007733A000-memory.dmp
memory/1796-457-0x0000000077340000-0x000000007745F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 19:44
Reported
2024-11-17 19:47
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjlwuuys = "C:\\Users\\Admin\\AppData\\Roaming\\Yjlwuuys.exe" | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\Windows.exe" | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\???-LDKG91 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\taskhost.exe\"" | C:\Windows\SysWOW64\clip.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive = "\"C:\\ProgramData\\OneDrive\\OneDrive.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe |
| PID 3284 set thread context of 3312 | N/A | C:\ProgramData\rtdmxlb\frdp.exe | C:\ProgramData\rtdmxlb\frdp.exe |
| PID 6000 set thread context of 1532 | N/A | C:\ProgramData\rtdmxlb\frdp.exe | C:\ProgramData\rtdmxlb\frdp.exe |
| PID 5984 set thread context of 6132 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe | C:\Windows\SysWOW64\clip.exe |
| PID 4940 set thread context of 5296 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\golden.exe | C:\Users\Admin\AppData\Local\Temp\Files\golden.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\12.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\clip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\golden.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\rtdmxlb\frdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\j86piuq9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\System32\taskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\rtdmxlb\frdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\golden.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\dos.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\dos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\12.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Files\dos.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Files\dos.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\document.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
"C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFkAagBsAHcAdQB1AHkAcwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA=
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"
C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe
"C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe"
C:\Users\Admin\AppData\Local\Temp\Files\document.exe
"C:\Users\Admin\AppData\Local\Temp\Files\document.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\document.exe'
C:\ProgramData\rtdmxlb\frdp.exe
C:\ProgramData\rtdmxlb\frdp.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\ProgramData\rtdmxlb\frdp.exe
"C:\ProgramData\rtdmxlb\frdp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
C:\Users\Admin\AppData\Local\Temp\Files\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Autoupdate.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
C:\Users\Admin\AppData\Local\Temp\Files\dos.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dos.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-c
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c gi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/acce
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ss-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="XR5LB6NlrBnF3cfMXhhsna4KY88E.eg0r.WDPtkmltA-1731872796-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIkdZSEFTT0xTIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c -1">Cloudflare Ray ID: <strong class="font-semibold">8e423a52cbf2ed0c</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html>
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\ProgramData\rtdmxlb\frdp.exe
C:\ProgramData\rtdmxlb\frdp.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\j86piuq9.exe
"C:\Users\Admin\AppData\Local\Temp\Files\j86piuq9.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\12.exe
"C:\Users\Admin\AppData\Local\Temp\Files\12.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\ProgramData\rtdmxlb\frdp.exe
"C:\ProgramData\rtdmxlb\frdp.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\12.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5180 -ip 5180
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 1472
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe
"C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Offensive Offensive.cmd & Offensive.cmd & exit
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\clip.exe
"C:\Windows\SysWOW64\clip.exe"
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
"C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\golden.exe
"C:\Users\Admin\AppData\Local\Temp\Files\golden.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\golden.exe
"C:\Users\Admin\AppData\Local\Temp\Files\golden.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543648
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V "BiddingVeRoutinesFilms" Bowling
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Suzuki + ..\Major + ..\Tit + ..\Adjust + ..\Invest + ..\Severe + ..\Sony + ..\Prefers E
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif
Legend.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Keyboard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "ScanGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Keyboard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\88aext0k.exe
"C:\Users\Admin\AppData\Local\Temp\Files\88aext0k.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
"C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Windows\System32\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| CN | 121.40.69.150:8888 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| VN | 103.167.89.125:80 | 103.167.89.125 | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.89.167.103.in-addr.arpa | udp |
| US | 69.160.242.105:4782 | tcp | |
| BG | 87.120.112.33:8398 | tcp | |
| US | 8.8.8.8:53 | 33.112.120.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 8.8.8.8:53 | 217.113.215.185.in-addr.arpa | udp |
| CN | 117.72.70.169:80 | tcp | |
| US | 8.8.8.8:53 | wlnrar.shop | udp |
| US | 172.67.177.42:443 | wlnrar.shop | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.177.67.172.in-addr.arpa | udp |
| VN | 103.167.89.125:80 | 103.167.89.125 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exonic-hacks.com | udp |
| US | 69.160.242.105:11066 | tcp | |
| US | 69.160.242.105:4782 | tcp | |
| NL | 45.88.76.207:80 | 45.88.76.207 | tcp |
| US | 8.8.8.8:53 | 207.76.88.45.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | seallysl.site | udp |
| US | 8.8.8.8:53 | opposezmny.site | udp |
| US | 8.8.8.8:53 | goalyfeastz.site | udp |
| US | 8.8.8.8:53 | contemteny.site | udp |
| US | 8.8.8.8:53 | dilemmadu.site | udp |
| US | 8.8.8.8:53 | faulteyotk.site | udp |
| US | 8.8.8.8:53 | authorisev.site | udp |
| US | 8.8.8.8:53 | servicedny.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | YxqOyNKhQCB.YxqOyNKhQCB | udp |
| US | 8.8.8.8:53 | 174.82.21.104.in-addr.arpa | udp |
| CN | 112.235.132.55:80 | tcp | |
| US | 8.8.8.8:53 | chat.openai.com | udp |
| US | 8.8.8.8:53 | tmpfiles.org | udp |
| US | 104.18.37.228:80 | chat.openai.com | tcp |
| US | 172.67.195.247:443 | tmpfiles.org | tcp |
| DE | 84.129.60.144:80 | tcp | |
| KR | 27.102.130.160:801 | 27.102.130.160 | tcp |
| US | 8.8.8.8:53 | 228.37.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.130.102.27.in-addr.arpa | udp |
Files
memory/3008-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/3008-1-0x00000000006A0000-0x00000000006A8000-memory.dmp
memory/3008-2-0x0000000004F60000-0x0000000004FFC000-memory.dmp
memory/3008-3-0x00000000744D0000-0x0000000074C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
| MD5 | cee58644e824d57927fe73be837b1418 |
| SHA1 | 698d1a11ab58852be004fd4668a6f25371621976 |
| SHA256 | 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e |
| SHA512 | ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5 |
memory/2332-16-0x00000000005A0000-0x0000000000686000-memory.dmp
memory/2332-17-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3008-15-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2332-19-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3008-18-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-20-0x0000000004FA0000-0x000000000507A000-memory.dmp
memory/2332-21-0x0000000005080000-0x000000000515C000-memory.dmp
memory/2332-52-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-53-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-79-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-85-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-83-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-81-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-77-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-75-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-73-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-71-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-69-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-67-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-65-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-63-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-59-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-57-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-55-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-49-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-47-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-45-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-43-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-41-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-39-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-37-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-33-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-31-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-29-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-27-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-25-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-23-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-61-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-36-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-22-0x0000000005080000-0x0000000005156000-memory.dmp
memory/2332-1094-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1095-0x00000000051D0000-0x0000000005228000-memory.dmp
memory/2332-1096-0x0000000004F40000-0x0000000004F8C000-memory.dmp
memory/2332-1100-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1101-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1102-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1103-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1104-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3972-1105-0x0000000002D80000-0x0000000002DB6000-memory.dmp
memory/3972-1106-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3972-1108-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3972-1107-0x0000000005980000-0x0000000005FA8000-memory.dmp
memory/3972-1109-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3972-1110-0x00000000056E0000-0x0000000005702000-memory.dmp
memory/3972-1111-0x0000000005FB0000-0x0000000006016000-memory.dmp
memory/3972-1112-0x0000000006090000-0x00000000060F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_raxl2tp3.c1j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3972-1122-0x0000000006100000-0x0000000006454000-memory.dmp
memory/3972-1123-0x00000000066A0000-0x00000000066BE000-memory.dmp
memory/3972-1124-0x00000000066D0000-0x000000000671C000-memory.dmp
memory/3972-1125-0x0000000006CA0000-0x0000000006CD2000-memory.dmp
memory/3972-1126-0x000000006F550000-0x000000006F59C000-memory.dmp
memory/3972-1136-0x0000000006C50000-0x0000000006C6E000-memory.dmp
memory/3972-1137-0x00000000078E0000-0x0000000007983000-memory.dmp
memory/3972-1138-0x0000000008010000-0x000000000868A000-memory.dmp
memory/3972-1139-0x00000000079D0000-0x00000000079EA000-memory.dmp
memory/3972-1140-0x0000000007A40000-0x0000000007A4A000-memory.dmp
memory/3972-1141-0x0000000007C50000-0x0000000007CE6000-memory.dmp
memory/3972-1142-0x0000000007BD0000-0x0000000007BE1000-memory.dmp
memory/3972-1143-0x0000000007C00000-0x0000000007C0E000-memory.dmp
memory/3972-1144-0x0000000007C10000-0x0000000007C24000-memory.dmp
memory/3972-1145-0x0000000007D10000-0x0000000007D2A000-memory.dmp
memory/3972-1146-0x0000000007CF0000-0x0000000007CF8000-memory.dmp
memory/3972-1149-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2332-1150-0x00000000067B0000-0x0000000006D54000-memory.dmp
memory/2332-1151-0x0000000005470000-0x00000000054C4000-memory.dmp
memory/2332-1157-0x00000000744D0000-0x0000000074C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe
| MD5 | db5717fd494495eea3c8f7d4ab29d6b0 |
| SHA1 | 39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559 |
| SHA256 | 6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993 |
| SHA512 | b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de |
memory/3360-1171-0x00000000003E0000-0x00000000003FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\document.exe
| MD5 | 1a76cd545f61ab6f965ae5993b17ce2f |
| SHA1 | 900c219ab0607cec8bbf66db64c66e73272060e4 |
| SHA256 | 44f611726336cec3fa65ba287bf135af2cd43c6441ead65ce4a54c154ea80f90 |
| SHA512 | 78515c77b7d93f23203269771a2f75a47910070c3173516e541c6c566f8e016eb96d53cbf4850b5ba5d33c81d59f99f47400e2fffe0c479ef5e77532731993c9 |
memory/4784-1183-0x0000000000660000-0x0000000000AE6000-memory.dmp
memory/4784-1184-0x0000000000660000-0x0000000000AE6000-memory.dmp
memory/4784-1185-0x0000000000660000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3908-1196-0x0000000005F20000-0x0000000006274000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 200581450bac64a79cb1f832556f478d |
| SHA1 | eea290ec114604e4004168a8e4c4610b3b88073b |
| SHA256 | 11d5ed23304ac1f164c63592209113f57e187c6a6043d677e0de95630f4025ed |
| SHA512 | a78a826dae9d5e48e7a153ef27edba1af13765e08c23873e21d9cb3427275afc7e7e2233653f5b003cb229d53c956ba97c14f877444c56d0ad59b1d3dbd13a17 |
memory/3908-1198-0x0000000006A30000-0x0000000006A7C000-memory.dmp
memory/3908-1773-0x000000006F0F0000-0x000000006F13C000-memory.dmp
memory/3908-1903-0x0000000007740000-0x00000000077E3000-memory.dmp
memory/3908-2287-0x0000000007A10000-0x0000000007A21000-memory.dmp
memory/3908-2288-0x0000000007A40000-0x0000000007A54000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c44d3bf9a7f6123dcec1e266d638a3b |
| SHA1 | 98b6075c639e0a6e6ec724440bbe14947f1f817c |
| SHA256 | ba2c826363808e37cde8a0c2c26d86f2003d6ca78baaf7e3398efcaa462e1a93 |
| SHA512 | c62200a07aae516abaf805cc4df22cc0b7f58a6921fbc93ee38835582a21617bcf11612eeaa87b59961d2ddff5974d3dc354774e9312bffd072318ce1e47ece4 |
memory/2564-2300-0x000000006F0F0000-0x000000006F13C000-memory.dmp
memory/4784-2311-0x0000000000660000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 94492fb9f7a57a18011f8999294505bd |
| SHA1 | a67251c293ae4af190460ec67446b8fa1d050c10 |
| SHA256 | b36d62933ee0663b0d6457f889c71d48fb37ae7d6d2ad28ccfa6e7850457207e |
| SHA512 | 1b92001988b288e1dfa3e30e63bb85776c91e271a37cc5d2cbd58ab7e06cbd2fbab7adcfa565e12638ce4102245015c04809082f26c709dc50dfb64cd6ac2032 |
memory/2648-2323-0x000000006F0F0000-0x000000006F13C000-memory.dmp
memory/5296-2343-0x0000000005810000-0x0000000005B64000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c8f45f04e5476d60270ebe845aed366b |
| SHA1 | a99d2c6785447e5a13658535dc2037b7262bf09f |
| SHA256 | 3811d328d18811742cde5b3c26958f699b206b69ff18ea221bcb74cb616cb927 |
| SHA512 | b729459819a626cd77fefdbe275d5bdb95063631851d93399d44fb21916aedacbfd21214867f25b5e9a572c16ca52435597e861c222a54e9f7a8413e60809e9c |
memory/5296-2345-0x000000006F0F0000-0x000000006F13C000-memory.dmp
memory/4784-2357-0x0000000008E50000-0x0000000008EE2000-memory.dmp
memory/4784-2358-0x00000000087F0000-0x00000000087FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe
| MD5 | 13f4b868603cf0dd6c32702d1bd858c9 |
| SHA1 | a595ab75e134f5616679be5f11deefdfaae1de15 |
| SHA256 | cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7 |
| SHA512 | e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24 |
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
| MD5 | 05aa0a6d16f1dabf72b4c880a5d357d0 |
| SHA1 | 4a3ebaa010ba5306cd09c07eb26bbe99ff46496f |
| SHA256 | fdba9e9d51c62d59de744a179a50ce9f5838af549f30f5b87c8175dace024fee |
| SHA512 | 931a147bf27a8a14db99b8f6480dddfa2bd1e0b4aaa59092552ef93e9f93adddbcb71d7d9c7a1f45f7854e32d16555dc7f3be701a2df9578a9e99349e972758a |
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
| MD5 | f33a4e991a11baf336a2324f700d874d |
| SHA1 | 9da1891a164f2fc0a88d0de1ba397585b455b0f4 |
| SHA256 | a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7 |
| SHA512 | edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20 |
memory/5300-2406-0x0000000000200000-0x0000000000284000-memory.dmp
memory/5552-2419-0x000001ED94150000-0x000001ED9417E000-memory.dmp
memory/6072-2425-0x000000001C000000-0x000000001C050000-memory.dmp
memory/6072-2426-0x000000001C110000-0x000000001C1C2000-memory.dmp
memory/1124-2428-0x000001D179870000-0x000001D179892000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bdba0240f6acea2968360ac61b23c051 |
| SHA1 | 21528945a7edfcee0af4bf755e8a3f9e7e3d2d69 |
| SHA256 | e4de8a064cd1bab871c7e50705510494e35d0aaf914c0202c9b76a90c65fae4b |
| SHA512 | f05c94087777ac1909bb6aee49f18a82d5c557ac07d6681045e60729d9f8e6599bc7d8310ab125342376868850b6d9ca5bd16988ddb1fb2cd2db044099b08aec |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8cb3e9459807e35f02130fad3f9860d |
| SHA1 | 5af7f32cb8a30e850892b15e9164030a041f4bd6 |
| SHA256 | 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68 |
| SHA512 | 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184 |
C:\Users\Admin\AppData\Local\Temp\Files\Autoupdate.exe
| MD5 | 3042ed65ba02e9446143476575115f99 |
| SHA1 | 283742fd4ada6d03dec9454fbe740569111eaaaa |
| SHA256 | 48f456ecc6360511504e7c3021d968ad647226115e9a5b2eb3aa5f21e539dca9 |
| SHA512 | c847a171dad32dfb4acee102300a770500a18af5e086b61c348305d1d81af7525d7d62ca5b88c7c298884ad408137c5d9c2efb1e8294b29084fd8b5dd6b4ee3c |
memory/336-2486-0x000000001BDB0000-0x000000001C27E000-memory.dmp
memory/336-2487-0x000000001B780000-0x000000001B81C000-memory.dmp
memory/336-2489-0x0000000001000000-0x0000000001008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\dos.exe
| MD5 | a2163bf270762a1deec37145f2ef5267 |
| SHA1 | b6082a92aeea2d0687f21c42f2c7032db900ce8e |
| SHA256 | e0d09374471bb956744258603669a06473cc5920b6096928ac345c640d089403 |
| SHA512 | 03a06efc6289688fcca8a1f832c84823d26b329b753a8d67656effb18d24422a34aca876232f36e44f50599df295ea2064f42df26d390f4d41456b9d5535bef9 |
memory/336-2506-0x0000000001180000-0x0000000001190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\j86piuq9.exe
| MD5 | 06283d3cde5addad32a1ad13cfc125a8 |
| SHA1 | 6a271f81f09c66dfb3618d304b34a7335a9d0584 |
| SHA256 | 1ed77857300416e4e4ea9177637598e7000bf53ba8c4194aec4ccc61ea29106f |
| SHA512 | 260ac791f05b69a3f0d08abdceb31346652a8250e11e750452869955f60125decedcdd765eecd72a696d60809db4d1281a7facdd05eac761ca8aa11e0c6a0268 |
C:\Users\Admin\AppData\Local\Temp\Files\12.exe
| MD5 | b38d20c6267b77ca35a55e11fb4124b7 |
| SHA1 | bf17ad961951698789fa867d2e07099df34cdc7d |
| SHA256 | 92281aaffbb198760aacd304df932fd58ba230d0927839d85db71dc7ae6f7d71 |
| SHA512 | 17fc8504582edc41db8b62ca1e5238427ddea19b24d2efceb7c765903b8395b3276e4f4dc9df55c60a77b47e0d09491e16dbda18e82a4d6bfa6ed7cad5b8947e |
C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe
| MD5 | bbe6311c3e2fab459f729dc8cd6e3519 |
| SHA1 | b71993aafd6627e55657819826c67f64f764c77f |
| SHA256 | 95fb9ca82017f2a6bc59df0d72fc6f90043e135799d25e9922d4943da4c36874 |
| SHA512 | 33fb4936db966d0f285a48b09700716eadcdc19212c3e234f34dc0e497e55f01f493956aa86de438a3c65ba8e112d6ee1f3cd0ff9aee3cda1f686cc68dc77a47 |
C:\Users\Admin\AppData\Local\Temp\Offensive
| MD5 | ba741ea1fd350411ba286e3807deb915 |
| SHA1 | 885f5b96f704a4e5fbefbb6c8b82274ead6ffeb0 |
| SHA256 | adcf5ed9c2a1ab99e0e91306fa3e2d828902c989046d7cff497a4b864ffac5f3 |
| SHA512 | e4f9ea218752cfe4f8a4241c7bfa8d87f2fb0fcc1c5ca679105f42a4c1bb9c692b70cea3e60cfb50cc24af2eefc2bfe80bfecd54cbcec51ef523199251efaf9b |
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
| MD5 | aa3cdd5145d9fb980c061d2d8653fa8d |
| SHA1 | de696701275b01ddad5461e269d7ab15b7466d6a |
| SHA256 | 41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2 |
| SHA512 | 4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32 |
memory/5984-3657-0x0000000004F10000-0x0000000004F2A000-memory.dmp
memory/5984-3656-0x0000000000F60000-0x0000000000F68000-memory.dmp
memory/5984-3655-0x0000000000610000-0x0000000000706000-memory.dmp
memory/5984-3658-0x00000000057F0000-0x0000000005896000-memory.dmp
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
| MD5 | e40cb198ebcd20cd16739f670d4d7b74 |
| SHA1 | e898a3b321bd6734c5a676382b5c0dfd42be377d |
| SHA256 | 6cdc8d3c147dcf7253c0fb7bb552b4ae918aba4058cc072a2320a7297d4fbed7 |
| SHA512 | 1e5a68b2ae30c7d16a0a74807fa069be2d1b8adcfcbcde777217b9420a987196af13fb05177e476157029a1f7916e6948a1286cdb8957cdd142756da3c42beef |
C:\Users\Admin\AppData\Local\Temp\Files\golden.exe
| MD5 | f98be4f384d18834c9f4c22c7046a5ff |
| SHA1 | b977887e63969e90102cfa716246cc9957349241 |
| SHA256 | 03b8845707f2c1c31d9a756e7f46323b032037bc92bf3dc3243d07c013062eda |
| SHA512 | f47e4708f63d5c451fb4c01e90ab3436a05b136c2605d6957d43f030a008415a918c750b2530eb3256c8552c799b7f8034e2b7ce90881386f44bb65bcdba8755 |
C:\Users\Admin\AppData\Local\Temp\Bowling
| MD5 | 1100e2dc0abbc946984508a57c2dcc6a |
| SHA1 | a46249d3d6aebb480f6c948aff6f065ad3ce6721 |
| SHA256 | 87cf4bc82402b0ee787dd23867496ee383cc24c397fe54372a0e2fcc1c6bf206 |
| SHA512 | c2c4cb619a76ee8f6ccefeb712b11a25c1c475db088aeab5dad6978536a2eca710f31a73d183062c83ce272cf0534b53c2d4f40db203a4b7a3b8bfa5e9390fd7 |
C:\Users\Admin\AppData\Local\Temp\Cafe
| MD5 | be7ece0a176b5396ed2e80dfd1c7d424 |
| SHA1 | ea19b37edc7d7cef563094860af09900898fe467 |
| SHA256 | 4d448ab30a84c345178b92911192046923db0badece1146f0adda3f0af1417d8 |
| SHA512 | ef006bad40449dca5569f113d8eebcef718f3754a5455b1bd31ef61ab59c5b096b24663da60173edb1741bd045f588823144e63b2e62b681abd7e5b95f2c906b |
C:\Users\Admin\AppData\Local\Temp\Suzuki
| MD5 | c4cf8fa43e79df7fa6259198175880f4 |
| SHA1 | e9097784729e777188629e9c7c59cb0a0c6c6cd8 |
| SHA256 | f40e0aa9ee1be08178cde5ff9c25253e70c4c08cd7311722a749be0ebfcb49eb |
| SHA512 | 786cf3a41fa4d55999fd15ce6b1f89c1189f3212b181e2e0f2b3262e24669453cc99d587b3c70ddbf098117d5b5d3e4b7bf034e288bec61672bcdc29a131642e |
C:\Users\Admin\AppData\Local\Temp\Major
| MD5 | 5365ad26fbf55fbb238379160f3819ae |
| SHA1 | 6e33efe060d8fc424f5c850107ad4794c66daec1 |
| SHA256 | 5749f6b429f9fbd508b810c6e99504e19036a93374d83eabd7171cb625627ae6 |
| SHA512 | 861b76e0f60d055c7cf2b51d5a4aa21848664b57fa387d83e9c36c23dd0044bacb0bb8e5a8630062604871197b7050e82101c91dd2b809e8c5208eb86fa22e52 |
C:\Users\Admin\AppData\Local\Temp\Tit
| MD5 | 9ff7f4f0f216def9dd325d9b667be06e |
| SHA1 | f2cc8a82c99dc8bc38624e7aaa31fd29047f19dd |
| SHA256 | 7639decc3f03f22ed96230e5bfb619419d2523a56cb0b6cccf6ad6c66d5219e8 |
| SHA512 | 83984918784fb08d6392d5a565578d9caa60218aba2ecfe255e3d809e0f7a48f36da68aea87fbca19a12d6bd83cbcc9aa24f021b14bafda68a2b90fb58ac4b30 |
C:\Users\Admin\AppData\Local\Temp\Adjust
| MD5 | 35e5ab29f9dc36806b7db16d46ed7ede |
| SHA1 | 527d6aa79dca3a83dca41245240507996a1b0ae3 |
| SHA256 | c6ab18d27ef2d0e9b01a3502b9ef292ac9d5a4bd045db792d8d3b4188c30f8c1 |
| SHA512 | 754c57e8fcd56f149dbfd6606c029071cae23bd9d658961b853c03830cb8150d444f1e365ed8651ab5accf4b6e5fc1184c42f5e1d1cead261eee04268152309b |
C:\Users\Admin\AppData\Local\Temp\Invest
| MD5 | 2650bd0e98cced157856b15c55a48398 |
| SHA1 | b8b509ad22f350d600cd4ac612a5eb3d61db3f02 |
| SHA256 | f6b5de9758a1baa8f31e584bb5e5427365a7d08679931328d6ae9ddf1b6c99ec |
| SHA512 | db3693cc106df3b097b8b3b97236819792bb04afead5e13679fdcc21765fd348502dae64eade646815fb7cd3745f190ed8d8a071f6d5f29cb36ffd08c9193e14 |
C:\Users\Admin\AppData\Local\Temp\Severe
| MD5 | af2b7ee3e48e5404c5b8e4af9767ab3d |
| SHA1 | 18b0119b67a01719b7e968e2296676565a273264 |
| SHA256 | 5748c19741e9877d8abeb2f593a158bd39195c9c1433129ebdb6858381283aee |
| SHA512 | 2472c62e1c65d3a03a293daae3eb162b42bdfc536907f4b1bb63d86315e3540cc8fd641d2b26183cc230884b6cc74cafb805c913c09b991ba3d4699ed8ed4129 |
C:\Users\Admin\AppData\Local\Temp\Sony
| MD5 | bbdea5ac69d32176c7cf0af7749cdf12 |
| SHA1 | 39c66e4bcad18e9bb4400a579d44f177daf63ecc |
| SHA256 | 8d1c9abd9b4a2f0a19f9a003280e1ffaddfd4c55b3fbef43b4aa97c7d3d280e3 |
| SHA512 | e6021102ecba902d998601f4f857f973ff24edd7012fb1c3f9fef557f966a023ab241ac3f54aeaaf887e19560a805eaf77d593cfa7efd659a137faf4dbf53704 |
C:\Users\Admin\AppData\Local\Temp\Prefers
| MD5 | 3800b719c54c939f9c41642d3f0c0dc9 |
| SHA1 | 2f4e8b5ad282ff727f23ff8b98f82427bc88d263 |
| SHA256 | d2fafbf46e5741896ca37681386c1af4f847d2bae11592be569ed41d7e50702b |
| SHA512 | b0f73c110f28091ae5c786ce9c5970ea2d4c728abfc4aacb926892712d04a0d5bb0d912ef5cf27a19b529cfcae2bf5f63ddaa77f4e39e49f7d67ce240d9f35e5 |
C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\543648\E
| MD5 | f8e0529fb48efca8c0eede34c01e0033 |
| SHA1 | 85a42f025ae9a2227f2649df6652c929400a4aac |
| SHA256 | 68b1bbcf0f6f6270afb451b41f81f6f5691759493640f6e2735276877c024dcb |
| SHA512 | b6192ad0efe9c04f803a5a14c09480d573ff94d6d50135ff85b2fa4e9ef52c4c04fcb99207be0e7fa4f3a2dba27b6d0b336e111cc3ae678a05761132dadf8f54 |
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | fe75f0e739e3889f3169358abc660e60 |
| SHA1 | 7956287cd78f9823a1bbf9aa9b3d5121cd55785b |
| SHA256 | f9726e10c350b4199dde3b4bdaa6716a35fd1817a2659192762d1463e511d308 |
| SHA512 | cccaaef343f6659f719062b0819a7304f05cf526251826548200d06dc9809cb48ead0b939abc0f6139a4877b9234e9dacf8a756c40cd607ddef692d256676f19 |
memory/5800-3722-0x00000000007A0000-0x0000000000A4C000-memory.dmp
memory/5800-3724-0x00000000007A0000-0x0000000000A4C000-memory.dmp
memory/5800-3723-0x00000000007A0000-0x0000000000A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\88aext0k.exe
| MD5 | 3d375d10b594f69c51b80948ec0e4c03 |
| SHA1 | 439779b78363df27d5874efb256aa5e415e0b8b3 |
| SHA256 | 8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704 |
| SHA512 | 635d39a32aa3c01cf2d7c5910639da9dbc7f661daba92d0b6c6d543123aa84bfac86dc7c72d6f88ace93d4d2b520e5020094d11f8d78c6859ea68265e8dad560 |
C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe
| MD5 | a1264b7a67771b5d0224d179edcd5a50 |
| SHA1 | 56a87bc817e8ccff749c27bdf997eab1f5930174 |
| SHA256 | ab18f8db9ae857fe8a663d968223a605bfdc3a268b501a5d46eefa4495cbed6a |
| SHA512 | 39662f4edfd298220c97a8c621cf7bf2beeca91ce2694052138715cd5ed6c3702182dd9cee1c0ec746ca80efc9001e9e20d289649f2b65c1c2c10459f52ba2a0 |
memory/5464-3743-0x0000000000FC0000-0x000000000100A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe
| MD5 | eb2e78bbb601facb768bd61a8e38b372 |
| SHA1 | d51b9b3a138ae1bf345e768ee94efdced4853ff7 |
| SHA256 | 09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf |
| SHA512 | 5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4 |
memory/4952-3753-0x0000000000BB0000-0x0000000000BB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 909278699c09e6801b038d7089e68151 |
| SHA1 | 036bf462815304c97f06814f6327150095996be9 |
| SHA256 | ca1af3b2a9b340be96e06d6ab18b3e21be455780b242cf395978eabc124e8d0c |
| SHA512 | b1af108e01d27c0481db58f2b4b847458bdc26484a91a30b31ce9afb82660cbd8b41874a7e1d951a3f9be4211522e39b1024c846b33e8656820361da451ece7c |
memory/5500-3764-0x00000000002E0000-0x00000000002EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
| MD5 | 6a0bb84dcd837e83638f4292180bf5ab |
| SHA1 | 20e31ccffe1ac806e75ea839ea90b4c91e4322c5 |
| SHA256 | e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4 |
| SHA512 | d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5 |
memory/4584-3775-0x00000000006E0000-0x0000000000A04000-memory.dmp