Analysis Overview
Threat Level: Known bad
The file https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Deletes shadow copies
Disables Task Manager via registry modification
Blocks application from running via registry modification
Downloads MZ/PE file
Disables RegEdit via registry modification
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Opens file in notepad (likely ransom note)
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Modifies registry key
Uses Volume Shadow Copy WMI provider
Modifies Control Panel
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Phishing Filter
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-29 22:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-29 22:56
Reported
2024-12-29 22:57
Platform
win7-20240903-en
Max time kernel
33s
Max time network
33s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ASP.NETWebAdminFiles\\Security\\Users\\App_LocalResources\\Resources\\theeye.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\Microsoft\\Protect\\Defender\\windef.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Deletes shadow copies
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\powershell = "powershell.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\taskkill = "taskkill.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ProcessHacker = "ProcessHacker.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\msconfig = "msconfig.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\procexp = "procexp.exe" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| N/A | N/A | C:\Windows\debug\CHLogOn.exe | N/A |
| N/A | N/A | C:\Windows\debug\wcmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\debug\\Wall.jpg" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\debug\CHLogOn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\debug\wcmd.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b049faf8445adb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3184B681-C638-11EF-AD58-7ED3796B1EC0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\notepad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 33 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 34 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 35 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 33 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 34 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 35 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 33 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 34 | N/A | C:\Windows\debug\wcmd.exe | N/A |
| Token: 35 | N/A | C:\Windows\debug\wcmd.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" C:\Users\Admin\AppData\Local\Temp\note.txt
C:\Windows\debug\CHLogOn.exe
"C:\Windows\debug\CHLogOn.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B79.tmp\5B7A.tmp\5B7B.bat C:\Windows\debug\CHLogOn.exe"
C:\Windows\system32\reg.exe
REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background /v OEMBackground /t REG_DWORD /d 1 /f
C:\Windows\debug\wcmd.exe
"C:\Windows\debug\wcmd.exe" C:\Windows\debug\main.bs7
C:\Windows\System32\wbem\wmic.exe
"C:\Windows\System32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabED2E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarED9F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 935418ecf8644ed1ef4c641ac51cffa7 |
| SHA1 | d2066e927bd3679819014adc5d4b3e4e04ffbfef |
| SHA256 | 92073956bf6fe1a6a5553897578f76300726d244fab849d638c3058ce083d412 |
| SHA512 | 3fd2f0c62a40986bd323641dc2efcaf92c53e396681024add9b7787c121479e4fae8de38b2ff0bbc8c6bb889f46ef1840c063bb4960231315ffdc7c537c24b20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f193defa3bdb19d982c27ed50730fd30 |
| SHA1 | 9a6f695d49a8d32f380a27a141beb7f14b9fae17 |
| SHA256 | 4d2c6569d20680fcdc63d8b134d7da5c745a2936934be782c709f4bd70dd44aa |
| SHA512 | 02764d4431fca25f1e20f8976399e813929efc36545d7af98cbf1821b98b536c0ba6a233d60c186f79f7608c58d40364684168682005ef78f2faa6d750e255f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be4eb41f88760a4de2698f7973c1b9a0 |
| SHA1 | 455de65020a86957e61ec621787cc55780fd56d6 |
| SHA256 | de931416925e5073858ff2a9174d07011788d97eec14b1ffd6d677c0800d4085 |
| SHA512 | b3cab846262130cce8117157741755c3f79ec159b9b564b20885ac73f68c8f998a59c7ae1721c250efebbf06386662039caef707cb488557090d1db17af5f7c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d9091ed6aed28940bbac08e7bf5efca |
| SHA1 | 52787ce5b2f903ef44e14bbfa2896636b7fe6cde |
| SHA256 | 060a6673bb1c532cf10763cc855a04755e62f066d13127bcde21718bca1fceb2 |
| SHA512 | 82c400b4f3f5506c4f6278336ece042ed241fd05612e8e078761c043285d7fd078f3c975f8c97789260f87614823dcbcd0a9251f2ee3c791714fc27cf281528b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4aaa4bb183457a1050bf26b932ea43b3 |
| SHA1 | 9db1be78ec7fddf256252615ade50e697dec5cae |
| SHA256 | df7500717ab70c823d2b57314bfe3f6890376995e59dd869ffafef84c6772f33 |
| SHA512 | 92b9b1e2c044bf8b31a2bcadb3d80c9f014b5a91c05e06cca9c7deaee06ce70773b61dfc8f1b65a83342c7059398c6d89eeb4281126142623271f57ae0c5924b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee2a6bb54fae4b27dc90897c25a7b619 |
| SHA1 | 347fe6d88284f49f10835f85bba69e32a7107a04 |
| SHA256 | 9db4ebb1e4913b186f405e88c06c08d9a99ee2fc86f1f01df39a84d098161f48 |
| SHA512 | 06152ba239f4289572806c4567ae2413b26d0a161e35c66303b63262a6a301d36f92fe9563126b3a200fe049a4b073b555cd748601a90893e485a12b450ec8d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f3c0f8eef006bd01e3ab27eeb832ede |
| SHA1 | ec90e7e55dacaa5a43701f69ae029d75b0544d32 |
| SHA256 | f103f98c0cfbb54f1e9d20a03682eda79c2b1cfef77f7256d944508e8bbbe1aa |
| SHA512 | 640c57707a27d7dddeb2d8211d9953dc2dbe6ffdb11f21830e2c303cfb8d8c968e6e9b511f9ea2113e33798b8529a80cf972ff28e2f88dcc3a28a6ade56bc447 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1911d06473393edb0c5badc173c28db7 |
| SHA1 | 40cc0cee0e224efd71a8bb21c69c39a4d1d7d95b |
| SHA256 | 90c3dafbee0edda97edc04588a077ad0a4311eb1b469ce4c03c21a659a36f705 |
| SHA512 | f12fa00b434ddad6802a59f95685837694251d6e7fa1fed7a1bc45166533a2b6d991448468ce0bde4387a05852ac95d8e2ec4f03abf08f0b6c9b5f8a97335d6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3647ad7a257c00f3ae6f7c5bbf7e6eb |
| SHA1 | fa3cecb9951a5ac8f9ccbf82f8c107dd943ed598 |
| SHA256 | befe820d79524a3fb5cb5e47d924cd3106c4518aa8a13323b95acf6f0d6bd7d6 |
| SHA512 | a5e244dc5067368614e90897ec9dcaa5135d3449a9fb70dff6faa2fb65b48a23733cc9651946a5dd2e63560bcb6e3cc55d8fe8023c26d003237a9fd0f466f853 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9461f5d136677188354d296fc6d818e |
| SHA1 | 4ac24b7872d72fcc4f99c46cc920ee3ad90ea43b |
| SHA256 | 7c448817f7e2d82cb976c2402d963777d69ca05b57f9344f9f6f0067b26dba5f |
| SHA512 | 2e6f4589f1913cf86b3e88e3b309d64cbce6c07835b38d146de961943dfe0763f40414c571d10247bb6b92199c254068c5a4602c8f406763af508b330f7aa4ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26b7e3c73da41b5237ec54ab46d1e43f |
| SHA1 | 5b01d3eb10999591e3708472b68c650965726c6d |
| SHA256 | 65a9c26cdccc63cb8bb6dac8fdf99f0d3ce85bde5e6403327adaef84c219f54d |
| SHA512 | 62d03f090d2b57715df65509d83fa5ea26e14ec7386a496f7624cbef01e017404ace5b61ee7bd19ab01de96fcda48701fadd6de34c74bf1066cc63c116e5fe41 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 21ac983ede48b21525e364d2d06474f2 |
| SHA1 | 8a1cedaaf56c23afd400e63c29fbcc1a1a11aeb1 |
| SHA256 | 572344617a34946b1f32b3ee584c14b616f2ab9229080930bfcbc536111d919f |
| SHA512 | 28f1665e0f367e01871aca8c43a3296c342f35aee36f575f54463d1b0b7c7b667ccbd29f00d6acc677551c5477a8b512b736012e23ba7f0026fe181cbb2ccd12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 250a9e65c2a50171b90c7a3532cc8e40 |
| SHA1 | 5e8850dcf3cd201412e2ef4c061a23175df6bc60 |
| SHA256 | 6054113de1c30377e07321dcdb13a157baa7899783e058d7f4ed3ace751f0ba2 |
| SHA512 | b002252e9fbf1f94e17d365f3f06973138e90c14d56f57a141eaa2c530ca6d99743419f03947b788916cd5e0540100e7aeb447d8912266188a814a0167767a88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0ee7653e9119ff6c6c0fc19a95ec914 |
| SHA1 | e33100220d7b05f18affac441e0c48ac633bca31 |
| SHA256 | d9c87f8e6b0e9a75ab7105f65ddf7e6e9800ec510c88be9a9da22d5c45b7699c |
| SHA512 | 6ed4ee643b9e35bd08f65a568fd6b9d3bb3807fa21994edb18c81b6a2121bfc2d11661fbc11a2eeaa77929fae8d8ce4b27d68b9fdb23b232627ee213b83da2e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3785a4760b4096a56c3838e2aa50e5b3 |
| SHA1 | 948ecae0806913ae39be39973d48f87793bc46e6 |
| SHA256 | efb33d30177a1dbfa201a6242d84a78ecd63bd91050e28b1149ac872c1dd28e7 |
| SHA512 | 308bf150d41e562ac2514c34071e21bc3c3daa5b01209e14dc873cc7ade22d149c7b7cdd74606d3c9867ca8ecc16642ede631fc880417359029ee3516cd4d8f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c821358ac46b0b113e22ec6c4559e0d7 |
| SHA1 | 1d619d1c97c17cd9092237b02ce65bd90d8ad69a |
| SHA256 | a41bd1d16312ef1ca693815a43a034c1b7e67b96ee717b4d8fc0ce127bcd7122 |
| SHA512 | 2b63570d0ea4f3d43a9e154197d1613f5fbd1f07d988682effbded9da84ef1b992b7b1ca762bbeb7a60187e14c4f793088414788d5af45e77a6511a8bad0eaaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8af03795716a81446bd06d89221c958c |
| SHA1 | acf3e8320c5eeea7e17634518f82fd295be36f9a |
| SHA256 | c3bd3c69b123efba6a977f2367029cb13bdfc046325a1e9762788fc922d30374 |
| SHA512 | 6e2cc058547ea1aa92b1418eef2b83a1340c0ee30ef2419ca53a09b2e0df0b6b23c513bbdbbee6e384c3b40e1fab1d3af81efe6b4ab5b3dbbe57b1a450ddb477 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19e5255fb6283d5b4c02aeeb1547572a |
| SHA1 | 55a60f663bee7f09a29f15fe9ab705250f65d84b |
| SHA256 | 981bd695e6d4e5960c3bdc90c02ffad9090bb4e7111fd78b84e07be54aae5f48 |
| SHA512 | ae20d7792f180b08da81a954b1e70dad8f49e263ea5a762b3e963edfc90ce7920d63b7f7b1554cb49925df508a943512ea49ab2913bcfaac7665f8c77f8013e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5578ed0d4c15fd464bada7952827080 |
| SHA1 | e03ecc3cc47128dc43e4086baeb746a8438fe754 |
| SHA256 | fdb769e81e0182b2d221ff8522597fff1c4a62c1589e823d8cb6fa2cbbcf7ad8 |
| SHA512 | f25ae2002aa16c0664dbf890c40b7eda95d998f9a25eb9300aa79f7a3d610eb0902d7ce4e694836f904b00b69b6d2bebdacba6349109a3b74eefb43fc8bb8746 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef6a0562d14a8b2f567ced33723167c7 |
| SHA1 | bf6eea37a5fa0b7260d4fe9ea360ab9a2bcf7a6f |
| SHA256 | 94203d077ad9659de5bb02b78de488876613dd5bc131a449e7475f052aedda60 |
| SHA512 | de732f13a69493b3ed38c1134fed64eb1962c56e789eef5f1db792c9b3cf102e7a460ac0f79d9b90f47be5ce6b4d89f71b0f6dae1e3c44efffdcad9da8a3efec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00e1374a3e02c01288e54d2b75c51fa6 |
| SHA1 | b5332a50881bb5cc2cb2e755d31254ea8d1ad37f |
| SHA256 | 754a4b7cdc16ac6047c54508da0fe9e4e91d03656bacfc7f5a91a30b692568c1 |
| SHA512 | d50cb7db306b09f74c540dd7cf57a9887ddbb50fd49eb0a9ed1af9e2c244b2131017c503a95f156438319ea5ec1f5cfaef35588110daab1cf55636bf7902d434 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ec38f39a3921f93df93c095e42bb65a |
| SHA1 | eb64348596147b75e88f62220aa02972680a375c |
| SHA256 | 8fe8d63af710a71998712729b1001fb1e3784bf5d703e96f504377abfff72435 |
| SHA512 | fce0e61fb71164c4e3f42102b25f9327eb4e0bbaf6b8b56c9e30bbc4b01d44c0c6bd85ccfc522424f3041ddaa97d04349222585c7872de29a9ce4fb88a4333dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d57f5a86b90da2b2379319e3bc942fc9 |
| SHA1 | 2db5516b948f784b58dd60aa27792d9aba462918 |
| SHA256 | 5ee8a5f2b116a9f5ab4b71a5f61ae3357e83c52781a7536910631bc393f24ef4 |
| SHA512 | f1d85ae16f968d3b2916018cfb181afa73e06caee9b50bed7359b7b276fe1ef69c3582240a35c95bf20ccb8297127ab5c32b0f6326295e13a49eebb788629b7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78dfb77f4adef0d6341ac63bfb155d36 |
| SHA1 | 0753eed352d89e245ea7a5c3e9121688dc574fd3 |
| SHA256 | f4f5508845292b36a943e51cb7c4789756bec9812ed2ea3d7a9c0190a0f9ae22 |
| SHA512 | dc3a1d1791c1ff94fb4d43647951d50955aa84475a19c6eabc83f452abc5b8cc35535bc3d6e1b48f80ae833dbe7ec2b72fbc57d3d4c5ccf5542ed4c4b5da17bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe.w46vfpa.partial
| MD5 | 914d34ecdfa0ef6430ca4809e7a8c10c |
| SHA1 | 0e00f756f0997414af61b0ba2e1ea78a44619e9d |
| SHA256 | fe79fb788f0fc6c4752f7bab66a52d8a4a1d15aa3821a919b9af6ba2c03aa5ae |
| SHA512 | cee271e233c472ae2bbc298ca8cf9de08993f7db2f8d8503025e9a644af6ccfc1290a3c02d91854788c316fa2240a155609edb9c87be5470fde1d5abae546e11 |
memory/1224-1317-0x000000007170E000-0x000000007170F000-memory.dmp
memory/1224-1318-0x0000000000A80000-0x0000000001C52000-memory.dmp
memory/1224-1319-0x0000000071700000-0x0000000071DEE000-memory.dmp
memory/1224-1320-0x0000000071700000-0x0000000071DEE000-memory.dmp
memory/1224-1329-0x000000007170E000-0x000000007170F000-memory.dmp
memory/1224-1330-0x0000000071700000-0x0000000071DEE000-memory.dmp
memory/1224-1331-0x0000000071700000-0x0000000071DEE000-memory.dmp
\Windows\debug\CHLogOn.exe
| MD5 | 9ca586ddfc5a57ce57ce626f207e1eb6 |
| SHA1 | 1c87f85c2ffca02f99bca7d8aafcb342ae2ad7ee |
| SHA256 | 21684746e7e1540020be0392fb5b05c66a5b06f53671702d175d259144e6a002 |
| SHA512 | 708f6d00bb8a46ce78c9db6fb4af1288a8ee7bd0e52a0384a18f3a77c72d61888030c5f3454658baf120886823fb1c3f8bd7988b7009631dc89e1ccc62b5e2bf |
C:\Users\Admin\AppData\Local\Temp\note.txt
| MD5 | 7347840cc3e83edafca3af146589e7a6 |
| SHA1 | cf7aed71cfe5e2c194b33f0101de3199f783571d |
| SHA256 | 9f401768934bcc0946c53a60ccf0e3741ff80618d8b98bbb0a8b1b16122b4804 |
| SHA512 | 7e379f671cce50bd96cd6094c9d1e91b7bb6a168c634aa499b78ffec70e68136a98cc6c809e8ad7b5b13249074fad6dbd75cb00400ee81d30b1618ad81133cae |
C:\Users\Admin\AppData\Local\Temp\5B79.tmp\5B7A.tmp\5B7B.bat
| MD5 | 7f742118852893437bb5785d5ee7e73c |
| SHA1 | aa1ded32065885ffbd8df69034106747c0cf812f |
| SHA256 | 9c348976c62fbb4c9cb6c9fbf3f9971b3d57a293f27a32a95bc7c051e392c2d4 |
| SHA512 | abd874873dd8e0c1dde285aa7f403405990e0f6d1f08c32f0519bb4cd744f5232f80fc542a793f896fe450158e237da233f0ae3fab9cd6ef74eb3fb8f81b7658 |
C:\Windows\debug\BG.jpg
| MD5 | da3abafe35393a02cfb59c057a456a43 |
| SHA1 | 8f38b57d8716f8bfe96c652a442bb6684ad1c577 |
| SHA256 | d82c51b9ce2448f4229f8bbceaad0a166531e5a50572925c00716307309037c1 |
| SHA512 | 71a79917123287e6fa4df02e0fecb70fbcb0069fb71a36c4c231952a0bd1195482c457918822df002fcb14139639387b138c4e93e1bc1f069ed9c946436288ed |
C:\Windows\debug\wcmd.exe
| MD5 | d90879c6015e4a04c0941f5cbe263e62 |
| SHA1 | 0da175415fe367f814524a0b406cf2b666aa7e9f |
| SHA256 | 3c21a2f3c4bdfedd641b834d87d927760621ff8a267255a2029c5215f2286967 |
| SHA512 | 1ac57863d7d92abddf14d52d9d243ae39b48fa68ef091cf193678805e061061fd58e0734c488252a33915e73548a5475ecb48f3f7674150f5229eff6a974e68b |
memory/1224-1385-0x0000000071700000-0x0000000071DEE000-memory.dmp