Malware Analysis Report

2025-01-02 13:33

Sample ID 241207-edgkzszrdj
Target RIP_YOUR_PC_LOL.exe
SHA256 37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags
blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default mediaget banker defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a

Threat Level: Known bad

The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default mediaget banker defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx

AsyncRat

Xmrig family

Purplefox family

HawkEye

DcRat

Asyncrat family

Detect Blackmoon payload

xmrig

Dcrat family

Gh0strat

Hawkeye family

PurpleFox

Nanocore family

Njrat family

UAC bypass

Oski family

Detect PurpleFox Rootkit

Oski

Gh0strat family

Azorult family

Raccoon Stealer V1 payload

njRAT/Bladabindi

Redline family

RedLine

Blackmoon family

Raccoon family

Blackmoon, KrBanker

Fickerstealer family

Raccoon

Process spawned unexpected child process

Fickerstealer

Azorult

Gh0st RAT payload

NanoCore

NirSoft WebBrowserPassView

Async RAT payload

DCRat payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

NirSoft MailPassView

XMRig Miner payload

Detected Nirsoft tools

Sets service image path in registry

Server Software Component: Terminal Services DLL

Modifies Windows Firewall

Drops file in Drivers directory

Drops startup file

Uses the VBS compiler for execution

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Looks up external IP address via web service

Indicator Removal: File Deletion

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-07 03:49

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Nanocore family

nanocore

Njrat family

njrat

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 03:49

Reported

2024-12-07 03:50

Platform

win7-20241010-en

Max time kernel

24s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Azorult

trojan infostealer azorult

Azorult family

azorult

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fickerstealer

infostealer fickerstealer

Fickerstealer family

fickerstealer

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Njrat family

njrat

Oski

infostealer oski

Oski family

oski

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

Redline family

redline

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A

Xmrig family

xmrig

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\a.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440504.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\es\\aaa.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediaget = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget\\mediaget.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Portable Devices\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\hh\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediaget = "\"C:\\PerfLogs\\Admin\\mediaget.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\259440504.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File created C:\Program Files\Windows Portable Devices\taskhost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\taskhost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\f820f26656ae6d1e1cd0ede001693a81e45f4037 C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files\Windows Portable Devices\b75386f1303e64d8139363b71e44ac16341adf4e C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\aaa.exe C:\Users\Admin\AppData\Roaming\3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\WUDFhosts.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\hh\explorer.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\hh\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\Cursors\KillProcc.sys C:\Users\Admin\AppData\Roaming\22.exe N/A
File opened for modification C:\Windows\Cursors\TrustedInsteller.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\Winlogon.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render.dll C:\Users\Admin\AppData\Roaming\22.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Help\Winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 2540 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 2540 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 2540 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 2540 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\SysWOW64\netsh.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\SysWOW64\netsh.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\SysWOW64\netsh.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Windows\SysWOW64\netsh.exe
PID 2540 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 2540 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 2540 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 2540 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2372 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2372 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2372 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2372 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2540 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 2540 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 2540 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 2540 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 1808 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1808 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1808 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1808 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2632 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
PID 2632 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Roaming\healastounding.exe

"C:\Users\Admin\AppData\Roaming\healastounding.exe"

C:\Users\Admin\AppData\Roaming\test.exe

"C:\Users\Admin\AppData\Roaming\test.exe"

C:\Users\Admin\AppData\Roaming\gay.exe

"C:\Users\Admin\AppData\Roaming\gay.exe"

C:\Users\Admin\AppData\Roaming\Opus.exe

"C:\Users\Admin\AppData\Roaming\Opus.exe"

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Roaming\4.exe

"C:\Users\Admin\AppData\Roaming\4.exe"

C:\Users\Admin\AppData\Roaming\22.exe

"C:\Users\Admin\AppData\Roaming\22.exe"

C:\Users\Admin\AppData\Roaming\___11.19.exe

"C:\Users\Admin\AppData\Roaming\___11.19.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Users\Admin\AppData\Roaming\a.exe

"C:\Users\Admin\AppData\Roaming\a.exe"

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Users\Admin\AppData\Roaming\mediaget.exe

"C:\Users\Admin\AppData\Roaming\mediaget.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC4D.tmp"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add policy name=Block

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC3DC.tmp"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259440504.txt",MainThread

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "aaa" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\aaa.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "mediaget" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\mediaget\mediaget.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\hh\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "mediaget" /sc ONLOGON /tr "'C:\PerfLogs\Admin\mediaget.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filteraction name=FilteraAtion1 action=block

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static set policy name=Block assign=y

C:\Windows\Help\Winlogon.exe

C:\Windows\Help\Winlogon.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 216

C:\Windows\Cursors\WUDFhosts.exe

C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 796

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
MD 194.180.174.53:80 tcp
CN 59.56.110.231:8898 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 pretorian.ac.ug udp
US 8.8.8.8:53 prepepe.ac.ug udp
US 172.67.74.152:80 api.ipify.org tcp
RU 80.87.192.115:80 tcp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 yabynennet.xyz udp
MD 194.180.174.53:80 tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 107.178.223.183:81 yabynennet.xyz tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 pretorian.ac.ug udp
HU 91.219.236.18:80 91.219.236.18 tcp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 kazya1.hopto.org udp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 22ssh.com udp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 pool.usa-138.com udp
SG 45.77.45.115:80 pool.usa-138.com tcp
HU 91.219.236.148:80 tcp
CA 172.98.92.42:58491 tcp
HU 91.219.236.148:80 tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 files.000webhost.com udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp

Files

memory/2372-0-0x0000000074091000-0x0000000074092000-memory.dmp

memory/2372-1-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2372-2-0x0000000074090000-0x000000007463B000-memory.dmp

\Users\Admin\AppData\Roaming\healastounding.exe

MD5 6fb798f1090448ce26299c2b35acf876
SHA1 451423d5690cffa02741d5da6e7c45bc08aefb55
SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA512 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

memory/2540-14-0x0000000074090000-0x000000007463B000-memory.dmp

\Users\Admin\AppData\Roaming\gay.exe

MD5 8eedc01c11b251481dec59e5308dccc3
SHA1 24bf069e9f2a1f12aefa391674ed82059386b0aa
SHA256 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA512 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc

C:\Users\Admin\AppData\Roaming\test.exe

MD5 7e50b292982932190179245c60c0b59b
SHA1 25cf641ddcdc818f32837db236a58060426b5571
SHA256 a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8
SHA512 c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885

C:\Users\Admin\AppData\Roaming\aaa.exe

MD5 860aa57fc3578f7037bb27fc79b2a62c
SHA1 a14008fe5e1eb88bf46266de3d5ee5db2e0a722b
SHA256 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29
SHA512 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

MD5 0fd7de5367376231a788872005d7ed4f
SHA1 658e4d5efb8b14661967be2183cc60e3e561b2b6
SHA256 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
SHA512 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863

\Users\Admin\AppData\Roaming\4.exe

MD5 e6dace3f577ac7a6f9747b4a0956c8d7
SHA1 86c71169025b822a8dfba679ea981035ce1abfd1
SHA256 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63
SHA512 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268

C:\Users\Admin\AppData\Roaming\22.exe

MD5 dbf9daa1707b1037e28a6e0694b33a4b
SHA1 ddc1fcec1c25f2d97c372fffa247969aa6cd35ef
SHA256 a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6
SHA512 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd

\Users\Admin\AppData\Roaming\___11.19.exe

MD5 a071727b72a8374ff79a695ecde32594
SHA1 b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc
SHA256 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745
SHA512 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400

memory/2540-100-0x00000000057C0000-0x0000000005B82000-memory.dmp

memory/316-103-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/2940-108-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\TXPlatforn.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2940-107-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

MD5 78d40b12ffc837843fbf4de2164002f6
SHA1 985bdffa69bb915831cd6b81783aef3ae4418f53
SHA256 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44
SHA512 c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79

memory/2540-126-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2940-105-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\a.exe

MD5 52cfd35f337ca837d31df0a95ce2a55e
SHA1 88eb919fa2761f739f02a025e4f9bf1fd340b6ff
SHA256 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448
SHA512 b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73

memory/1808-138-0x0000000005130000-0x00000000066DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

MD5 8f1c8b40c7be588389a8d382040b23bb
SHA1 bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA512 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

MD5 870d6e5aef6dea98ced388cce87bfbd4
SHA1 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54
SHA256 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0
SHA512 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566

memory/1656-171-0x0000000000400000-0x0000000000438000-memory.dmp

memory/620-169-0x0000000000400000-0x0000000000424000-memory.dmp

memory/620-167-0x0000000000400000-0x0000000000424000-memory.dmp

memory/316-162-0x0000000000400000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 696a7236e14e7407b5023681fba1d690
SHA1 43c550a8ab63b5f5a2a2622e5f614c4aaeeaf78e
SHA256 af034321362311726b4f39f658d691b7cf2ddf6eccd13f771532abde387f720a
SHA512 4582231dde50799d1925ba884e6e9d4bfde0a7ca56ee0f9d7bb0ccea18cbb73bda8bdf4de387537ade3d0be5c496f5748346c91806da72f7bf2e0fd814a6d0a0

memory/2188-160-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1808-140-0x0000000005130000-0x00000000066DA000-memory.dmp

memory/2000-139-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/1224-147-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1224-145-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1224-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

MD5 b14120b6701d42147208ebf264ad9981
SHA1 f3cff7ac8e6c1671d2c3387648e54f80957196de
SHA256 d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97
SHA512 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/2372-88-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2540-61-0x0000000074090000-0x000000007463B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opus.exe

MD5 759185ee3724d7563b709c888c696959
SHA1 7c166cc3cbfef08bb378bcf557b1f45396a22931
SHA256 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641
SHA512 ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c

memory/2540-12-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2364-216-0x0000000000A50000-0x0000000000A62000-memory.dmp

memory/316-219-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/2272-229-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2272-235-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\3.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

memory/2000-248-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2188-244-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1656-242-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2216-217-0x0000000000400000-0x0000000000625000-memory.dmp

memory/2272-271-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2000-270-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-267-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-263-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-259-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-256-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-254-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2000-250-0x0000000005FC0000-0x0000000006382000-memory.dmp

memory/2168-275-0x0000000000100000-0x0000000000194000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/2168-292-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/2168-293-0x0000000000300000-0x000000000030A000-memory.dmp

memory/2168-295-0x0000000000310000-0x000000000031C000-memory.dmp

memory/2168-294-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/1808-296-0x0000000005130000-0x00000000066DA000-memory.dmp

memory/2000-299-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/1656-304-0x0000000000400000-0x0000000000434000-memory.dmp

memory/620-303-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2188-302-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1224-301-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1808-305-0x0000000005130000-0x00000000066DA000-memory.dmp

memory/620-319-0x0000000000400000-0x0000000000420000-memory.dmp

memory/620-318-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2700-320-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2700-321-0x0000000000400000-0x000000000041B000-memory.dmp

memory/548-354-0x0000000001CA0000-0x0000000002220000-memory.dmp

memory/604-355-0x000000013F610000-0x000000013FB90000-memory.dmp

memory/548-380-0x0000000001CA0000-0x0000000002220000-memory.dmp

memory/604-382-0x000000013F610000-0x000000013FB90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 03:49

Reported

2024-12-07 03:49

Platform

win10v2004-20241007-en

Max time kernel

2s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fickerstealer

infostealer fickerstealer

Fickerstealer family

fickerstealer

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Njrat family

njrat

Oski

infostealer oski

Oski family

oski

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

RedLine

infostealer redline

Redline family

redline

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\healastounding.exe N/A

Uses the VBS compiler for execution

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Winlogon.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Help\active_desktop_render.dll C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\WUDFhosts.exe C:\Users\Admin\AppData\Roaming\22.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2228 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2228 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 2228 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2228 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2228 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 2228 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2228 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2228 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 2228 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2228 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 2228 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 8 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 2228 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2228 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 2228 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 4904 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 4904 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 4904 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 4904 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 4904 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 4904 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 4904 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 4904 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 4904 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 4260 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4260 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4260 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4904 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 4904 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 4904 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Roaming\healastounding.exe

"C:\Users\Admin\AppData\Roaming\healastounding.exe"

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\22.exe

"C:\Users\Admin\AppData\Roaming\22.exe"

C:\Users\Admin\AppData\Roaming\___11.19.exe

"C:\Users\Admin\AppData\Roaming\___11.19.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add policy name=Block

C:\Users\Admin\AppData\Roaming\test.exe

"C:\Users\Admin\AppData\Roaming\test.exe"

C:\Users\Admin\AppData\Roaming\gay.exe

"C:\Users\Admin\AppData\Roaming\gay.exe"

C:\Users\Admin\AppData\Roaming\Opus.exe

"C:\Users\Admin\AppData\Roaming\Opus.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Roaming\4.exe

"C:\Users\Admin\AppData\Roaming\4.exe"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Users\Admin\AppData\Roaming\a.exe

"C:\Users\Admin\AppData\Roaming\a.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98C5.tmp"

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filterlist name=Filter1

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA355.tmp"

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240621531.txt",MainThread

C:\Users\Admin\AppData\Roaming\mediaget.exe

"C:\Users\Admin\AppData\Roaming\mediaget.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\scrcons\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pid\a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Rif1IpQLy.bat"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 yabynennet.xyz udp
US 107.178.223.183:81 yabynennet.xyz tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 gfhhjgh.duckdns.org udp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 59.56.110.231:8898 tcp
US 104.26.12.205:80 api.ipify.org tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
CA 172.98.92.42:58491 tcp
US 104.19.223.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

memory/2228-0-0x0000000075222000-0x0000000075223000-memory.dmp

memory/2228-1-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2228-2-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\healastounding.exe

MD5 6fb798f1090448ce26299c2b35acf876
SHA1 451423d5690cffa02741d5da6e7c45bc08aefb55
SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA512 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

memory/4904-22-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4904-29-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

MD5 0fd7de5367376231a788872005d7ed4f
SHA1 658e4d5efb8b14661967be2183cc60e3e561b2b6
SHA256 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
SHA512 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863

memory/2064-42-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2064-51-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2064-45-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\22.exe

MD5 dbf9daa1707b1037e28a6e0694b33a4b
SHA1 ddc1fcec1c25f2d97c372fffa247969aa6cd35ef
SHA256 a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6
SHA512 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd

C:\Users\Admin\AppData\Roaming\___11.19.exe

MD5 a071727b72a8374ff79a695ecde32594
SHA1 b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc
SHA256 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745
SHA512 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400

memory/8-50-0x0000000000400000-0x0000000000625000-memory.dmp

C:\Users\Admin\AppData\Roaming\test.exe

MD5 7e50b292982932190179245c60c0b59b
SHA1 25cf641ddcdc818f32837db236a58060426b5571
SHA256 a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8
SHA512 c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885

C:\Users\Admin\AppData\Roaming\Opus.exe

MD5 759185ee3724d7563b709c888c696959
SHA1 7c166cc3cbfef08bb378bcf557b1f45396a22931
SHA256 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641
SHA512 ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c

C:\Users\Admin\AppData\Roaming\gay.exe

MD5 8eedc01c11b251481dec59e5308dccc3
SHA1 24bf069e9f2a1f12aefa391674ed82059386b0aa
SHA256 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA512 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc

C:\Users\Admin\AppData\Roaming\aaa.exe

MD5 860aa57fc3578f7037bb27fc79b2a62c
SHA1 a14008fe5e1eb88bf46266de3d5ee5db2e0a722b
SHA256 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29
SHA512 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

C:\Users\Admin\AppData\Roaming\a.exe

MD5 52cfd35f337ca837d31df0a95ce2a55e
SHA1 88eb919fa2761f739f02a025e4f9bf1fd340b6ff
SHA256 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448
SHA512 b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73

memory/1632-145-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\240621531.txt

MD5 90fc82e03a29ddfb8aa574f126c85534
SHA1 b802eb0e564167738586e058b2e1516c60555e87
SHA256 0b674c6c4631d19e21e8716cb2d57fb155c1b00999b2e694ec948207a40a8831
SHA512 75732b3c52f9116150ecd081fd425e1733d0c1f6ab2e1b2789255df99b5f7a9fdd6fa7374a64dcb98ff69ae5c69237e8a24e560fa87cde2e91891dbcbf1ea497

memory/3720-165-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/4904-164-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Windows\SysWOW64\TXPlatforn.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/3764-178-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-185-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/3764-189-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-190-0x0000000006370000-0x0000000006988000-memory.dmp

memory/3720-200-0x0000000005D70000-0x0000000005E7A000-memory.dmp

memory/3720-199-0x0000000005D50000-0x0000000005D62000-memory.dmp

memory/3720-202-0x0000000005E80000-0x0000000005EBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

MD5 78d40b12ffc837843fbf4de2164002f6
SHA1 985bdffa69bb915831cd6b81783aef3ae4418f53
SHA256 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44
SHA512 c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

MD5 870d6e5aef6dea98ced388cce87bfbd4
SHA1 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54
SHA256 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0
SHA512 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

MD5 b14120b6701d42147208ebf264ad9981
SHA1 f3cff7ac8e6c1671d2c3387648e54f80957196de
SHA256 d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97
SHA512 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b

memory/3720-232-0x0000000005F00000-0x0000000005F4C000-memory.dmp

memory/4212-238-0x0000000000400000-0x00000000019AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\3.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

memory/1992-244-0x0000000000DE0000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 fb44f7af2882d222b600539171f54c1d
SHA1 0c5a1a0b1620a55a0f194464227be25a2f0347e1
SHA256 f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487
SHA512 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67

C:\Users\Admin\AppData\Local\Temp\tmp98C5.tmp

MD5 28219e12dd6c55676bdf791833067e9d
SHA1 a4c854d929404e5073d16610c62dfa331c9727a0
SHA256 d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540
SHA512 e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161

memory/1516-222-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1516-220-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3764-191-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-184-0x0000000000400000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\4.exe

MD5 e6dace3f577ac7a6f9747b4a0956c8d7
SHA1 86c71169025b822a8dfba679ea981035ce1abfd1
SHA256 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63
SHA512 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

MD5 8f1c8b40c7be588389a8d382040b23bb
SHA1 bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA512 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/1632-143-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1632-146-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1328-115-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1328-114-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1328-112-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4508-88-0x0000000000370000-0x0000000000382000-memory.dmp

memory/2228-89-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/1992-287-0x0000000001630000-0x000000000163C000-memory.dmp

memory/1992-288-0x0000000001640000-0x000000000164A000-memory.dmp

memory/4212-304-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4212-312-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4212-315-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4212-308-0x00000000060E0000-0x00000000064A2000-memory.dmp

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Users\Admin\AppData\Local\Temp\tmpA355.tmp

MD5 7f4b37265a0a4b0fea67999d11d911e8
SHA1 1b8e13e6a27c3768c30cf713b79eaa8a757e1349
SHA256 39b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b
SHA512 ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03

memory/1992-292-0x0000000001680000-0x000000000168C000-memory.dmp

memory/4212-295-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4212-301-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/4212-298-0x00000000060E0000-0x00000000064A2000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/4212-290-0x00000000060E0000-0x00000000064A2000-memory.dmp

memory/1992-289-0x0000000001650000-0x000000000165C000-memory.dmp

memory/2064-335-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2064-338-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/1516-348-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3832-358-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4212-359-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/3832-357-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3832-360-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6Rif1IpQLy.bat

MD5 63ee891b066b4e3d6f75f2f7b9a93c36
SHA1 011689b40d1dff4490d924de9c1e7dfeb9f48b30
SHA256 19acb924a380bbaba6ba3fc690106cdeebd68d5dfb41fc1d3f72770a56267987
SHA512 0ee83b7fee4466a5341432431a4657f3648ed97867c81d3d86315d8ce458879e0b65427e65266bdae6c4ab6ff836cc29712ed739eacd2d9c5fcad6ac4d8bb981

memory/2084-366-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2084-364-0x0000000000400000-0x0000000000438000-memory.dmp