Malware Analysis Report

2025-05-05 22:36

Sample ID 241229-2w2p7szjgy
Target https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe
Tags
agilenet defense_evasion discovery evasion execution impact persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe was found to be: Known bad.

Malicious Activity Summary

agilenet defense_evasion discovery evasion execution impact persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Deletes shadow copies

Disables Task Manager via registry modification

Blocks application from running via registry modification

Downloads MZ/PE file

Disables RegEdit via registry modification

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Opens file in notepad (likely ransom note)

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies registry key

Uses Volume Shadow Copy WMI provider

Modifies Control Panel

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer Phishing Filter

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-29 22:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-29 22:56

Reported

2024-12-29 22:57

Platform

win7-20240903-en

Max time kernel

33s

Max time network

33s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ASP.NETWebAdminFiles\\Security\\Users\\App_LocalResources\\Resources\\theeye.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\Microsoft\\Protect\\Defender\\windef.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\powershell = "powershell.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\taskkill = "taskkill.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ProcessHacker = "ProcessHacker.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\msconfig = "msconfig.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\procexp = "procexp.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg C:\Windows\system32\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\debug\\Wall.jpg" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\wcmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\Wall.jpg C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\Resources\theeye.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\Microsoft\Protect\Defender\windef.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr3.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr5.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\main.bs7 C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\CHLogOn.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr4.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr6.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr7.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr4.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr6.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr7.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\BG.jpg C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr1.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr1.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr2.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr2.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr3.wav C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
File created C:\Windows\debug\defenderlogs\scr5.gif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\debug\CHLogOn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\debug\wcmd.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b049faf8445adb01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3184B681-C638-11EF-AD58-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: 33 N/A C:\Windows\debug\wcmd.exe N/A
Token: 34 N/A C:\Windows\debug\wcmd.exe N/A
Token: 35 N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: 33 N/A C:\Windows\debug\wcmd.exe N/A
Token: 34 N/A C:\Windows\debug\wcmd.exe N/A
Token: 35 N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\debug\wcmd.exe N/A
Token: 33 N/A C:\Windows\debug\wcmd.exe N/A
Token: 34 N/A C:\Windows\debug\wcmd.exe N/A
Token: 35 N/A C:\Windows\debug\wcmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2808 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2808 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2808 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2808 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe
PID 2672 wrote to memory of 1224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe
PID 2672 wrote to memory of 1224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe
PID 2672 wrote to memory of 1224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe
PID 1224 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\notepad.exe
PID 1224 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\notepad.exe
PID 1224 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\notepad.exe
PID 1224 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\notepad.exe
PID 1224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\CHLogOn.exe
PID 1224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\CHLogOn.exe
PID 1224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\CHLogOn.exe
PID 1224 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\CHLogOn.exe
PID 3008 wrote to memory of 1460 N/A C:\Windows\debug\CHLogOn.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1460 N/A C:\Windows\debug\CHLogOn.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1460 N/A C:\Windows\debug\CHLogOn.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1460 N/A C:\Windows\debug\CHLogOn.exe C:\Windows\system32\cmd.exe
PID 1460 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1460 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1460 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\debug\wcmd.exe
PID 1224 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\System32\wbem\wmic.exe
PID 1224 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\System32\wbem\wmic.exe
PID 1224 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\System32\wbem\wmic.exe
PID 1224 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe C:\Windows\System32\wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" C:\Users\Admin\AppData\Local\Temp\note.txt

C:\Windows\debug\CHLogOn.exe

"C:\Windows\debug\CHLogOn.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B79.tmp\5B7A.tmp\5B7B.bat C:\Windows\debug\CHLogOn.exe"

C:\Windows\system32\reg.exe

REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background /v OEMBackground /t REG_DWORD /d 1 /f

C:\Windows\debug\wcmd.exe

"C:\Windows\debug\wcmd.exe" C:\Windows\debug\main.bs7

C:\Windows\System32\wbem\wmic.exe

"C:\Windows\System32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabED2E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarED9F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 935418ecf8644ed1ef4c641ac51cffa7
SHA1 d2066e927bd3679819014adc5d4b3e4e04ffbfef
SHA256 92073956bf6fe1a6a5553897578f76300726d244fab849d638c3058ce083d412
SHA512 3fd2f0c62a40986bd323641dc2efcaf92c53e396681024add9b7787c121479e4fae8de38b2ff0bbc8c6bb889f46ef1840c063bb4960231315ffdc7c537c24b20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f193defa3bdb19d982c27ed50730fd30
SHA1 9a6f695d49a8d32f380a27a141beb7f14b9fae17
SHA256 4d2c6569d20680fcdc63d8b134d7da5c745a2936934be782c709f4bd70dd44aa
SHA512 02764d4431fca25f1e20f8976399e813929efc36545d7af98cbf1821b98b536c0ba6a233d60c186f79f7608c58d40364684168682005ef78f2faa6d750e255f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be4eb41f88760a4de2698f7973c1b9a0
SHA1 455de65020a86957e61ec621787cc55780fd56d6
SHA256 de931416925e5073858ff2a9174d07011788d97eec14b1ffd6d677c0800d4085
SHA512 b3cab846262130cce8117157741755c3f79ec159b9b564b20885ac73f68c8f998a59c7ae1721c250efebbf06386662039caef707cb488557090d1db17af5f7c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d9091ed6aed28940bbac08e7bf5efca
SHA1 52787ce5b2f903ef44e14bbfa2896636b7fe6cde
SHA256 060a6673bb1c532cf10763cc855a04755e62f066d13127bcde21718bca1fceb2
SHA512 82c400b4f3f5506c4f6278336ece042ed241fd05612e8e078761c043285d7fd078f3c975f8c97789260f87614823dcbcd0a9251f2ee3c791714fc27cf281528b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4aaa4bb183457a1050bf26b932ea43b3
SHA1 9db1be78ec7fddf256252615ade50e697dec5cae
SHA256 df7500717ab70c823d2b57314bfe3f6890376995e59dd869ffafef84c6772f33
SHA512 92b9b1e2c044bf8b31a2bcadb3d80c9f014b5a91c05e06cca9c7deaee06ce70773b61dfc8f1b65a83342c7059398c6d89eeb4281126142623271f57ae0c5924b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee2a6bb54fae4b27dc90897c25a7b619
SHA1 347fe6d88284f49f10835f85bba69e32a7107a04
SHA256 9db4ebb1e4913b186f405e88c06c08d9a99ee2fc86f1f01df39a84d098161f48
SHA512 06152ba239f4289572806c4567ae2413b26d0a161e35c66303b63262a6a301d36f92fe9563126b3a200fe049a4b073b555cd748601a90893e485a12b450ec8d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3c0f8eef006bd01e3ab27eeb832ede
SHA1 ec90e7e55dacaa5a43701f69ae029d75b0544d32
SHA256 f103f98c0cfbb54f1e9d20a03682eda79c2b1cfef77f7256d944508e8bbbe1aa
SHA512 640c57707a27d7dddeb2d8211d9953dc2dbe6ffdb11f21830e2c303cfb8d8c968e6e9b511f9ea2113e33798b8529a80cf972ff28e2f88dcc3a28a6ade56bc447

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1911d06473393edb0c5badc173c28db7
SHA1 40cc0cee0e224efd71a8bb21c69c39a4d1d7d95b
SHA256 90c3dafbee0edda97edc04588a077ad0a4311eb1b469ce4c03c21a659a36f705
SHA512 f12fa00b434ddad6802a59f95685837694251d6e7fa1fed7a1bc45166533a2b6d991448468ce0bde4387a05852ac95d8e2ec4f03abf08f0b6c9b5f8a97335d6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3647ad7a257c00f3ae6f7c5bbf7e6eb
SHA1 fa3cecb9951a5ac8f9ccbf82f8c107dd943ed598
SHA256 befe820d79524a3fb5cb5e47d924cd3106c4518aa8a13323b95acf6f0d6bd7d6
SHA512 a5e244dc5067368614e90897ec9dcaa5135d3449a9fb70dff6faa2fb65b48a23733cc9651946a5dd2e63560bcb6e3cc55d8fe8023c26d003237a9fd0f466f853

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9461f5d136677188354d296fc6d818e
SHA1 4ac24b7872d72fcc4f99c46cc920ee3ad90ea43b
SHA256 7c448817f7e2d82cb976c2402d963777d69ca05b57f9344f9f6f0067b26dba5f
SHA512 2e6f4589f1913cf86b3e88e3b309d64cbce6c07835b38d146de961943dfe0763f40414c571d10247bb6b92199c254068c5a4602c8f406763af508b330f7aa4ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b7e3c73da41b5237ec54ab46d1e43f
SHA1 5b01d3eb10999591e3708472b68c650965726c6d
SHA256 65a9c26cdccc63cb8bb6dac8fdf99f0d3ce85bde5e6403327adaef84c219f54d
SHA512 62d03f090d2b57715df65509d83fa5ea26e14ec7386a496f7624cbef01e017404ace5b61ee7bd19ab01de96fcda48701fadd6de34c74bf1066cc63c116e5fe41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21ac983ede48b21525e364d2d06474f2
SHA1 8a1cedaaf56c23afd400e63c29fbcc1a1a11aeb1
SHA256 572344617a34946b1f32b3ee584c14b616f2ab9229080930bfcbc536111d919f
SHA512 28f1665e0f367e01871aca8c43a3296c342f35aee36f575f54463d1b0b7c7b667ccbd29f00d6acc677551c5477a8b512b736012e23ba7f0026fe181cbb2ccd12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 250a9e65c2a50171b90c7a3532cc8e40
SHA1 5e8850dcf3cd201412e2ef4c061a23175df6bc60
SHA256 6054113de1c30377e07321dcdb13a157baa7899783e058d7f4ed3ace751f0ba2
SHA512 b002252e9fbf1f94e17d365f3f06973138e90c14d56f57a141eaa2c530ca6d99743419f03947b788916cd5e0540100e7aeb447d8912266188a814a0167767a88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0ee7653e9119ff6c6c0fc19a95ec914
SHA1 e33100220d7b05f18affac441e0c48ac633bca31
SHA256 d9c87f8e6b0e9a75ab7105f65ddf7e6e9800ec510c88be9a9da22d5c45b7699c
SHA512 6ed4ee643b9e35bd08f65a568fd6b9d3bb3807fa21994edb18c81b6a2121bfc2d11661fbc11a2eeaa77929fae8d8ce4b27d68b9fdb23b232627ee213b83da2e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3785a4760b4096a56c3838e2aa50e5b3
SHA1 948ecae0806913ae39be39973d48f87793bc46e6
SHA256 efb33d30177a1dbfa201a6242d84a78ecd63bd91050e28b1149ac872c1dd28e7
SHA512 308bf150d41e562ac2514c34071e21bc3c3daa5b01209e14dc873cc7ade22d149c7b7cdd74606d3c9867ca8ecc16642ede631fc880417359029ee3516cd4d8f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c821358ac46b0b113e22ec6c4559e0d7
SHA1 1d619d1c97c17cd9092237b02ce65bd90d8ad69a
SHA256 a41bd1d16312ef1ca693815a43a034c1b7e67b96ee717b4d8fc0ce127bcd7122
SHA512 2b63570d0ea4f3d43a9e154197d1613f5fbd1f07d988682effbded9da84ef1b992b7b1ca762bbeb7a60187e14c4f793088414788d5af45e77a6511a8bad0eaaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8af03795716a81446bd06d89221c958c
SHA1 acf3e8320c5eeea7e17634518f82fd295be36f9a
SHA256 c3bd3c69b123efba6a977f2367029cb13bdfc046325a1e9762788fc922d30374
SHA512 6e2cc058547ea1aa92b1418eef2b83a1340c0ee30ef2419ca53a09b2e0df0b6b23c513bbdbbee6e384c3b40e1fab1d3af81efe6b4ab5b3dbbe57b1a450ddb477

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19e5255fb6283d5b4c02aeeb1547572a
SHA1 55a60f663bee7f09a29f15fe9ab705250f65d84b
SHA256 981bd695e6d4e5960c3bdc90c02ffad9090bb4e7111fd78b84e07be54aae5f48
SHA512 ae20d7792f180b08da81a954b1e70dad8f49e263ea5a762b3e963edfc90ce7920d63b7f7b1554cb49925df508a943512ea49ab2913bcfaac7665f8c77f8013e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5578ed0d4c15fd464bada7952827080
SHA1 e03ecc3cc47128dc43e4086baeb746a8438fe754
SHA256 fdb769e81e0182b2d221ff8522597fff1c4a62c1589e823d8cb6fa2cbbcf7ad8
SHA512 f25ae2002aa16c0664dbf890c40b7eda95d998f9a25eb9300aa79f7a3d610eb0902d7ce4e694836f904b00b69b6d2bebdacba6349109a3b74eefb43fc8bb8746

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef6a0562d14a8b2f567ced33723167c7
SHA1 bf6eea37a5fa0b7260d4fe9ea360ab9a2bcf7a6f
SHA256 94203d077ad9659de5bb02b78de488876613dd5bc131a449e7475f052aedda60
SHA512 de732f13a69493b3ed38c1134fed64eb1962c56e789eef5f1db792c9b3cf102e7a460ac0f79d9b90f47be5ce6b4d89f71b0f6dae1e3c44efffdcad9da8a3efec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00e1374a3e02c01288e54d2b75c51fa6
SHA1 b5332a50881bb5cc2cb2e755d31254ea8d1ad37f
SHA256 754a4b7cdc16ac6047c54508da0fe9e4e91d03656bacfc7f5a91a30b692568c1
SHA512 d50cb7db306b09f74c540dd7cf57a9887ddbb50fd49eb0a9ed1af9e2c244b2131017c503a95f156438319ea5ec1f5cfaef35588110daab1cf55636bf7902d434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ec38f39a3921f93df93c095e42bb65a
SHA1 eb64348596147b75e88f62220aa02972680a375c
SHA256 8fe8d63af710a71998712729b1001fb1e3784bf5d703e96f504377abfff72435
SHA512 fce0e61fb71164c4e3f42102b25f9327eb4e0bbaf6b8b56c9e30bbc4b01d44c0c6bd85ccfc522424f3041ddaa97d04349222585c7872de29a9ce4fb88a4333dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d57f5a86b90da2b2379319e3bc942fc9
SHA1 2db5516b948f784b58dd60aa27792d9aba462918
SHA256 5ee8a5f2b116a9f5ab4b71a5f61ae3357e83c52781a7536910631bc393f24ef4
SHA512 f1d85ae16f968d3b2916018cfb181afa73e06caee9b50bed7359b7b276fe1ef69c3582240a35c95bf20ccb8297127ab5c32b0f6326295e13a49eebb788629b7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78dfb77f4adef0d6341ac63bfb155d36
SHA1 0753eed352d89e245ea7a5c3e9121688dc574fd3
SHA256 f4f5508845292b36a943e51cb7c4789756bec9812ed2ea3d7a9c0190a0f9ae22
SHA512 dc3a1d1791c1ff94fb4d43647951d50955aa84475a19c6eabc83f452abc5b8cc35535bc3d6e1b48f80ae833dbe7ec2b72fbc57d3d4c5ccf5542ed4c4b5da17bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe.w46vfpa.partial

MD5 914d34ecdfa0ef6430ca4809e7a8c10c
SHA1 0e00f756f0997414af61b0ba2e1ea78a44619e9d
SHA256 fe79fb788f0fc6c4752f7bab66a52d8a4a1d15aa3821a919b9af6ba2c03aa5ae
SHA512 cee271e233c472ae2bbc298ca8cf9de08993f7db2f8d8503025e9a644af6ccfc1290a3c02d91854788c316fa2240a155609edb9c87be5470fde1d5abae546e11

memory/1224-1317-0x000000007170E000-0x000000007170F000-memory.dmp

memory/1224-1318-0x0000000000A80000-0x0000000001C52000-memory.dmp

memory/1224-1319-0x0000000071700000-0x0000000071DEE000-memory.dmp

memory/1224-1320-0x0000000071700000-0x0000000071DEE000-memory.dmp

memory/1224-1329-0x000000007170E000-0x000000007170F000-memory.dmp

memory/1224-1330-0x0000000071700000-0x0000000071DEE000-memory.dmp

memory/1224-1331-0x0000000071700000-0x0000000071DEE000-memory.dmp

\Windows\debug\CHLogOn.exe

MD5 9ca586ddfc5a57ce57ce626f207e1eb6
SHA1 1c87f85c2ffca02f99bca7d8aafcb342ae2ad7ee
SHA256 21684746e7e1540020be0392fb5b05c66a5b06f53671702d175d259144e6a002
SHA512 708f6d00bb8a46ce78c9db6fb4af1288a8ee7bd0e52a0384a18f3a77c72d61888030c5f3454658baf120886823fb1c3f8bd7988b7009631dc89e1ccc62b5e2bf

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 7347840cc3e83edafca3af146589e7a6
SHA1 cf7aed71cfe5e2c194b33f0101de3199f783571d
SHA256 9f401768934bcc0946c53a60ccf0e3741ff80618d8b98bbb0a8b1b16122b4804
SHA512 7e379f671cce50bd96cd6094c9d1e91b7bb6a168c634aa499b78ffec70e68136a98cc6c809e8ad7b5b13249074fad6dbd75cb00400ee81d30b1618ad81133cae

C:\Users\Admin\AppData\Local\Temp\5B79.tmp\5B7A.tmp\5B7B.bat

MD5 7f742118852893437bb5785d5ee7e73c
SHA1 aa1ded32065885ffbd8df69034106747c0cf812f
SHA256 9c348976c62fbb4c9cb6c9fbf3f9971b3d57a293f27a32a95bc7c051e392c2d4
SHA512 abd874873dd8e0c1dde285aa7f403405990e0f6d1f08c32f0519bb4cd744f5232f80fc542a793f896fe450158e237da233f0ae3fab9cd6ef74eb3fb8f81b7658

C:\Windows\debug\BG.jpg

MD5 da3abafe35393a02cfb59c057a456a43
SHA1 8f38b57d8716f8bfe96c652a442bb6684ad1c577
SHA256 d82c51b9ce2448f4229f8bbceaad0a166531e5a50572925c00716307309037c1
SHA512 71a79917123287e6fa4df02e0fecb70fbcb0069fb71a36c4c231952a0bd1195482c457918822df002fcb14139639387b138c4e93e1bc1f069ed9c946436288ed

C:\Windows\debug\wcmd.exe

MD5 d90879c6015e4a04c0941f5cbe263e62
SHA1 0da175415fe367f814524a0b406cf2b666aa7e9f
SHA256 3c21a2f3c4bdfedd641b834d87d927760621ff8a267255a2029c5215f2286967
SHA512 1ac57863d7d92abddf14d52d9d243ae39b48fa68ef091cf193678805e061061fd58e0734c488252a33915e73548a5475ecb48f3f7674150f5229eff6a974e68b

memory/1224-1385-0x0000000071700000-0x0000000071DEE000-memory.dmp