d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

Resubmissions

09/03/2025, 01:58

250309-cdv29swybs 10

08/03/2025, 06:55

250308-hp35xatjt9 10

08/03/2025, 04:53

250308-fh1ebssky5 10

Analysis

max time kernel
149s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My-Skidded-malwares-main/6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
Size

8.6MB
MD5

57c4e3c3fe4cad4179e3d2203aec90b6
SHA1

12c1262f5aadb9cb11d266681841ffdebf85fe17
SHA256

6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2
SHA512

7e9cb1752924945212198100141cab9ed65b702535ebbbf587a1d0decc736a79e50849ba621c2f21505a8a855bb122277093768dab005194b3972b943b557499
SSDEEP

49152:FBtiVC1wE+5WhANOgkImhsSWUlqiFEJ3QqkfqV8+PYfjKp9uMuqtwtpi4gmmZRwx:Fd

Score

8^/10

bootkit defense_evasion discovery persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Radon.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 31 IoCs

pid	Process
2924	Bahhhh.exe
3780	Berkelium.exe
3496	Boron.exe
1132	Californium.exe
5044	CatDaMBR.exe
3324	Cobalt.exe
3724	Curium.exe
1604	Einsteinium.exe
2352	EternalOrange.exe
5036	Fermium.exe
3464	Flerovium.exe
1992	Gallium.exe
2624	Germanium.exe
3056	Hafnium.exe
4432	haha.exe
4912	Iodine.exe
2144	Lanthanum.exe
2264	Lutetium.exe
4640	Nebula.exe
4824	Neodymium.exe
1040	nomore.exe
1308	Maltoolkit.exe
3948	Osmium.exe
3348	Radon.exe
2908	Samarium.exe
1644	Scandium.exe
2260	Solarizz.exe
2432	Tellurium.exe
4744	Thorium.exe
3960	Tungsten.exe
4000	Yttrium.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	haha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nomore.exe"	nomore.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4288	GameBarPresenceWriter.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Neodymium.exe
File opened for modification	\??\PhysicalDrive0	Solarizz.exe
File opened for modification	\??\PhysicalDrive0	nomore.exe
File opened for modification	\??\PhysicalDrive0	Radon.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002aee7-158.dat	upx
behavioral2/memory/4640-170-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4640-288-0x0000000000400000-0x0000000000494000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nomore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Radon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EternalOrange.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boron.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobalt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iodine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neodymium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gallium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahhhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CatDaMBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lutetium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Californium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thorium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Berkelium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fermium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flerovium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hafnium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	haha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solarizz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yttrium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tungsten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einsteinium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanthanum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Osmium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Germanium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Samarium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scandium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tellurium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
3108	taskkill.exe
5000	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\MuiCache	GameBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3449935180-2903586757-2462874082-1000\{7986EEE1-F338-4AFC-99FB-1B8D89A2614C}	svchost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4928	reg.exe
872	reg.exe
3336	reg.exe
4428	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3080	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4824	Neodymium.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	Radon.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: 33	4268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4268	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5044	CatDaMBR.exe
3304	GameBar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2924	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	82
PID 3252 wrote to memory of 2924	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	82
PID 3252 wrote to memory of 2924	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	82
PID 3252 wrote to memory of 3780	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	83
PID 3252 wrote to memory of 3780	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	83
PID 3252 wrote to memory of 3780	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	83
PID 3252 wrote to memory of 3496	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	84
PID 3252 wrote to memory of 3496	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	84
PID 3252 wrote to memory of 3496	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	84
PID 3252 wrote to memory of 1132	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	85
PID 3252 wrote to memory of 1132	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	85
PID 3252 wrote to memory of 1132	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	85
PID 3252 wrote to memory of 5044	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3252 wrote to memory of 5044	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3252 wrote to memory of 5044	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3252 wrote to memory of 3324	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3252 wrote to memory of 3324	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3252 wrote to memory of 3324	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3252 wrote to memory of 3724	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3252 wrote to memory of 3724	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3252 wrote to memory of 3724	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3252 wrote to memory of 3136	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3252 wrote to memory of 3136	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3252 wrote to memory of 3136	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3252 wrote to memory of 1604	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3252 wrote to memory of 1604	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3252 wrote to memory of 1604	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3252 wrote to memory of 2352	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3252 wrote to memory of 2352	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3252 wrote to memory of 2352	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3252 wrote to memory of 5036	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3252 wrote to memory of 5036	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3252 wrote to memory of 5036	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3252 wrote to memory of 3464	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	95
PID 3252 wrote to memory of 3464	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	95
PID 3252 wrote to memory of 3464	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	95
PID 3252 wrote to memory of 1992	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3252 wrote to memory of 1992	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3252 wrote to memory of 1992	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3252 wrote to memory of 2624	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3252 wrote to memory of 2624	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3252 wrote to memory of 2624	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3252 wrote to memory of 3056	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 3252 wrote to memory of 3056	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 3252 wrote to memory of 3056	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 3252 wrote to memory of 4432	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	100
PID 3252 wrote to memory of 4432	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	100
PID 3252 wrote to memory of 4432	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	100
PID 3252 wrote to memory of 4912	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	101
PID 3252 wrote to memory of 4912	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	101
PID 3252 wrote to memory of 4912	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	101
PID 4432 wrote to memory of 4888	4432	haha.exe	102
PID 4432 wrote to memory of 4888	4432	haha.exe	102
PID 4432 wrote to memory of 4888	4432	haha.exe	102
PID 3252 wrote to memory of 2144	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	104
PID 3252 wrote to memory of 2144	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	104
PID 3252 wrote to memory of 2144	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	104
PID 3252 wrote to memory of 2264	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	105
PID 3252 wrote to memory of 2264	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	105
PID 3252 wrote to memory of 2264	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	105
PID 3252 wrote to memory of 4640	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	107
PID 3252 wrote to memory of 4640	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	107
PID 3252 wrote to memory of 4640	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	107
PID 3252 wrote to memory of 4824	3252	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	109

C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
"C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\Bahhhh.exe
  "C:\Users\Admin\AppData\Local\Temp\Bahhhh.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\Berkelium.exe
  "C:\Users\Admin\AppData\Local\Temp\Berkelium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\Boron.exe
  "C:\Users\Admin\AppData\Local\Temp\Boron.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\Californium.exe
  "C:\Users\Admin\AppData\Local\Temp\Californium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe
  "C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\Cobalt.exe
  "C:\Users\Admin\AppData\Local\Temp\Cobalt.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\Curium.exe
  "C:\Users\Admin\AppData\Local\Temp\Curium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eee.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\Einsteinium.exe
  "C:\Users\Admin\AppData\Local\Temp\Einsteinium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\EternalOrange.exe
  "C:\Users\Admin\AppData\Local\Temp\EternalOrange.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\Fermium.exe
  "C:\Users\Admin\AppData\Local\Temp\Fermium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\Flerovium.exe
  "C:\Users\Admin\AppData\Local\Temp\Flerovium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\Gallium.exe
  "C:\Users\Admin\AppData\Local\Temp\Gallium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\Germanium.exe
  "C:\Users\Admin\AppData\Local\Temp\Germanium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\Hafnium.exe
  "C:\Users\Admin\AppData\Local\Temp\Hafnium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\haha.exe
  "C:\Users\Admin\AppData\Local\Temp\haha.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Maltoolkit.exe --shreadinggdipayloadremovesystemdll'srainbowgdipayloadtunnelgdipayloadcreateunlimitedsystemaccountsscreeninvertingpayloadpixelatedgdiglitchesmousefollowingpayloadinversegdipayload1000
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe
      Maltoolkit.exe --shreadinggdipayloadremovesystemdll'srainbowgdipayloadtunnelgdipayloadcreateunlimitedsystemaccountsscreeninvertingpayloadpixelatedgdiglitchesmousefollowingpayloadinversegdipayload1000
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1308
- C:\Users\Admin\AppData\Local\Temp\Iodine.exe
  "C:\Users\Admin\AppData\Local\Temp\Iodine.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\Lanthanum.exe
  "C:\Users\Admin\AppData\Local\Temp\Lanthanum.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Lutetium.exe
  "C:\Users\Admin\AppData\Local\Temp\Lutetium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\Nebula.exe
  "C:\Users\Admin\AppData\Local\Temp\Nebula.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D457.tmp\Nebula.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\Neodymium.exe
  "C:\Users\Admin\AppData\Local\Temp\Neodymium.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG DELETE HKCU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3852
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4428
- C:\Users\Admin\AppData\Local\Temp\nomore.exe
  "C:\Users\Admin\AppData\Local\Temp\nomore.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\nomore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\okay.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\Osmium.exe
  "C:\Users\Admin\AppData\Local\Temp\Osmium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\Radon.exe
  "C:\Users\Admin\AppData\Local\Temp\Radon.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Users\Admin\AppData\Local\Temp\Samarium.exe
  "C:\Users\Admin\AppData\Local\Temp\Samarium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\Scandium.exe
  "C:\Users\Admin\AppData\Local\Temp\Scandium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\Solarizz.exe
  "C:\Users\Admin\AppData\Local\Temp\Solarizz.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG DELETE HKCU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3336
- C:\Users\Admin\AppData\Local\Temp\Tellurium.exe
  "C:\Users\Admin\AppData\Local\Temp\Tellurium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\Thorium.exe
  "C:\Users\Admin\AppData\Local\Temp\Thorium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\Tungsten.exe
  "C:\Users\Admin\AppData\Local\Temp\Tungsten.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Yttrium.exe
  "C:\Users\Admin\AppData\Local\Temp\Yttrium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4000

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4288

C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe
"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bahhhh.exe

Filesize
230KB

MD5
27095b6e72d783c7ad7114f91b87e640

SHA1
15ef79e042f4befb60783b1d7931bfd916972096

SHA256
0738c33d4cbdef4bd1c216248a0a7a20ee7254e63d526fc113e827938aff2520

SHA512
9852bc26220c0ca60921425f7a089c4b5356624be41cf1d0e5b04eb36f47b840e2e1235d115927a6d3d69c6f3e60dfef484c67c59ade9edbf4e407b2c02c02ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Berkelium.exe

Filesize
74KB

MD5
c9f5fcf8b057f6f5b0f562fe1181cb18

SHA1
a1a4b505e2fc4d92ebacbdc6c783a29f7553bc41

SHA256
ad024d92fa10cba15bc1930f6d6792eba33feead5b4b8c4b4881c34409c31e3d

SHA512
a3fbbe86632fccdc74c43bc7c0afcb7c33463540f21473099a2176edff870bd47eac98d2dc64f684939a60888db190a4e091cc7d3068ca436da8e62969b17e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boron.exe

Filesize
207KB

MD5
30f2f3ba2f5053f75fd1af6186db6f7f

SHA1
ac9f70dcdf0a4caf57ac8b300b2205090f0850d7

SHA256
d350d7c68aa5b939d08fba384d1fbe44b757fcdadecb6534b5239d46bfef1f75

SHA512
5c39807596324fd7ba12c326af2e9f9b8666e76980ad1189fc49b71736eae779e461e5da71f9a27e014be8a8bd978dac6e7b3b3ceddbadb85f95682cc46cf7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Californium.exe

Filesize
223KB

MD5
306a2acc6e08033fad9b193dcbd4de05

SHA1
bccff10f633cac6c0bbda5a54061dd05d8f980de

SHA256
512a4972b15235864fc896484128b79d48d0dff076d6356559a0b75cb67067d3

SHA512
9d5e2abbd480181156624804d0709b403297261062bb3d3b2bd08f3a3905909109dfbd442268f94f2269ee3b8bf7a3a1f4206c65e2bd291602586f44fd084fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe

Filesize
683KB

MD5
5cdd80274f50bbd149441b4563416341

SHA1
0436f39868fde8334f7f8398345fa97263a1f38e

SHA256
6d842aa210cfd67b6b217b7d5abb88b513e235d3a763ac9eb80733f8bbfd5814

SHA512
b6f1e546de2ac25b7fd48763bf19556d1c83f63e68a0886a3dbb9977886693688d35da6f13ee947c661aef67930af1223f898cdf3bf2fe79d989966568c95331

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cobalt.exe

Filesize
193KB

MD5
62f60979fd6a1b5ac711801d575164bd

SHA1
08374033a9219287c568774c90e11e74d6862f43

SHA256
a165dade3174a456d5af6835359d090cfbde706b941c46177656e06e869409a0

SHA512
f855c40c0649d10ede6857f0fee888c724f480bdcbba24c60b5bbb0a86a3ab9fdd1872813ff574993a4d50cdafd7259b29499b4791ec11c6b635157e2b718e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Curium.exe

Filesize
45KB

MD5
09e2aac9365ada595f8421858745bb27

SHA1
5a06e5e910c5bff7dcc598207f8c38e998c34a1f

SHA256
95497d5ed96e5b3458e1729e6c5015cfab6c5bc44907f2324ac7c6bd014a9ba2

SHA512
7294b109b0e0934a1f2f3648b65c55c319027b154f3866e64fbf5480aff352e5424e511d9f68af29bdbccb897ad8e874b55f42be1d745dc56fd5d360c36005e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D457.tmp\Nebula.bat

Filesize
465B

MD5
5528cd13a5aca40926f1301347fc5d6f

SHA1
f533d23a31f644005a6634d58ce20098ed8287f7

SHA256
41acabd23abbabeff13ea9ee7f05b15807380da95510d3ba114fe89b3655039c

SHA512
7a95e565b8f3e6879699fcabbcbfe09d7e509e2d3db836af8d03115b3da8f942982f6ec7d10608eed47ee700f7a4c3e79bea56f746ab8d9636606bad31757c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Einsteinium.exe

Filesize
59KB

MD5
0b18325551f9d0055a9e3aa7921dfc76

SHA1
3b5076541b73bb6f9b1910dcc339709e360a9a92

SHA256
350f39bf3a98520e20f6aed34b4786ee2f6518c979613653b08dcf07f3b5e15e

SHA512
b45440ca9863bbb1cf2e1434612b32ed2f4f8d54645a02e4c7dc84297fae2222a40cb18e6e29f0eba5e475846ff02fa60ce35107c63a6f0a07830d89647a285b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EternalOrange.exe

Filesize
272KB

MD5
59b1f2c4da85066cc5a73d80cfb9dcd2

SHA1
bf005c3de251295d74ec19bf90d03ddcf06b1d88

SHA256
9242ae324864a6388d09a076110b3d55cb97056e22b201c4cc8cbcae29f302cf

SHA512
951bd4db81e9f0bdbc6a16c9ce3f400f287e9815e097e0a984d407dc8df85fbde150930a18af474f86221a4a8f46413f8c08cf2df0bbd1ad47bb85b0583595fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fermium.exe

Filesize
55KB

MD5
21f63fa6e6db4240fde9121fb4847a7f

SHA1
a4c4ac1234960c7c3dbe0bd3133ec5c56deb3dec

SHA256
4bab7485b91ec5196a586a75ac7ee7d7cb8d7cdac96f59b8d5a53a1abe09910b

SHA512
cbba2dd355b6472284d0a50a2887f5de4b7c5c109eb3ff2f1b79fd6709b66c63ae0bd8146e9b1fcd97cf699144b8340b9a0ee4714aa9b15d248e63d1d4e2b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flerovium.exe

Filesize
192KB

MD5
f728c4f178a7bc544136018d674f89a1

SHA1
14d60483112dbff186fe9c8b5f3efd644b7855e5

SHA256
bf3b53c82583803c36e00c1658cc7ea5154fa7015cc2cefd7d37bdc05a1824ac

SHA512
4544c1aaa98530cd815c76d0d3a25ca6c8e74c7153260b49dd5c0050bd2df7a5bda25219766e2fa8912293758039c54afddf0dfd99f5d8af4e50bf0445a7e8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gallium.exe

Filesize
64KB

MD5
e8bf30b1b6173a24fe3c091f5e41e51e

SHA1
2bfb376d9931b551ea2aef92e516fa4247e36c2a

SHA256
e8f9473c5910d908bbcf8b3100fd1927fa4293a99b4684e29f213f44cc61a58d

SHA512
050c3779a393a78a712f66fb23fd3305ad992a81983e2c91c29a6799423520c876344936ed5ab0e027c237ab1921243e67cae4e83c425828807f9fd59289d7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Germanium.exe

Filesize
38KB

MD5
cce249ef793a056cbfb2de01ba299b49

SHA1
25e73e283a841b6f574754a3c296cfb3220616b1

SHA256
3a1dd67101f8bfca844bdeb06bf6c2b2a9e1cf6cae15a0087b8f3489cf4d7a87

SHA512
1431743e36e75c3699e90dc3889edae81bc43aa0a558cb5636d42b9c65b87df017bfc740a96a4a40d49d278dab21d1b3fd22178b5483114bbb586d0e0c020413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hafnium.exe

Filesize
313KB

MD5
c8e330ae8170030eec31701a9a0973af

SHA1
a6334de48f112b958bfcfe80274f69a958276c14

SHA256
83f9eeb4e9c654dc1319f1b07d1ea6df6f0b30f16cf252d918f478f40987cba4

SHA512
f11fe29d8f1018787084f9153fc2c2167fc115f1e0da0ab162cfedec97dd96aa338d536affd7ab72e108b87e4bdb422067d4475ef484aeb9cc9a5f7e998e195a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe

Filesize
599KB

MD5
d4163d85ba71a09b181dea459744698c

SHA1
002efbdaf3b87a486cd1b577b219a36995a66489

SHA256
1fd51d6dd83f903b81c2fe5ee5811a32f4eeddae97b02c89659e6f0e7da16b1e

SHA512
f6740689391249a5a123cc2184b3b20bca15662d4b35f0158dfbb61a926f8d3d86f19cfadf2f411a5f43a904566a2b236f8fa6c1c30e2b7edeb29eb615e4dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iodine.exe

Filesize
169KB

MD5
be8145c68550808dc874c1cc9489339f

SHA1
ef17d69f633e31bc3bac3e9fb97656de4e548d34

SHA256
6dfda56a88cd9768bb50dc9c1da8846a09934933d0a6a603eb73aebd198084be

SHA512
8352e2e3045a77af70cd564d0b31dbee8c688d29834a44ed8c4e7fc44e4883cac03ce87f9634f4dadd41ccade13bd11913240c1bf208a4b7d22569513a28ad86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanthanum.exe

Filesize
243KB

MD5
2fdeccbe48b901cf84759f83f14dbe70

SHA1
e8376f1b4b1fdf4858cd9024164517b4258a113d

SHA256
522574c09e88c2d39787d6a3927bc051cf7eeb69620953cc0735665eb15d1a44

SHA512
85f7468c6e56861d06548b160d5541896077230d9e77ea5c598c0f5c959b5dfa0c1c0214eba54700742999ab8083048d382b6052ff782d768e9b74acde94fd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lutetium.exe

Filesize
250KB

MD5
73d444ef98ea3bafe5d5abc33cd87515

SHA1
f995876e720d9e6d5a5f13fa7e2b6822b6904d24

SHA256
fd7a0b8dc6f5d6053d1206cba9a7752fd7d10172b4e86b71a2fd88b991b86148

SHA512
43fa73090eaa0cb2bb8e99a6d987f56f7fdc7805ae36657e70bd948819a6b5aeba2e80c783c2334cf5afa21c2dd72a7e9882467a020509a5496cad2aeed37dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nebula.exe

Filesize
287KB

MD5
78091f56f0982281026b9fe997666e7f

SHA1
41ebbc8fcad44a6ca33a685aecb0b2bff4a35062

SHA256
ce1f154f417ba29a555744eabb2b7b9fc6aa2daaa763fa495541909d1fcba607

SHA512
a2246d395aaba5b476507ea2781ddbc34d47d1e4a5faf4e18e611e75b4f7f47412203969e7d3fba103e9b00cbac1f224f5aef9bcd4c6e1ada79c4a8f013e7714

Download Submit
C:\Users\Admin\AppData\Local\Temp\Neodymium.exe

Filesize
208KB

MD5
ef425827a51e138cd3ad64886639e379

SHA1
4075b501dc45eb3a8be37418c2b5877f888eae3c

SHA256
68b258531dbc544b6d330b1f247af8cd47fa301326d1dfd714e889417224a864

SHA512
4d15353cc9881c20c0086d502aad1c67ab1ea6be779f6be8f4a99f7abf901624cf325f60eb1041b486a693bdacd2002399d059baff0d36c4850f3cfd18b1cd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osmium.exe

Filesize
195KB

MD5
4888069211cfd8b7e16e70f30eb74005

SHA1
3a2966849a230cd961a0dbc6e112da4de8e3c1dd

SHA256
9d4cd0fde0b9c4756c0fed9cd66a39b104cfc03e1501ec753bb7de391be0759e

SHA512
bb5068bb37cd51ed1086403e44b2472da9516215cc29286b592a726bf9a64138058bd3652f505d9c39e2f96133534e70cdf747bd2e36d3df5dfbf7d9a558c520

Download Submit
C:\Users\Admin\AppData\Local\Temp\Radon.exe

Filesize
68KB

MD5
f6a1bd5b3e02bb4a12ebec22d1bc66f5

SHA1
21f044135add6391bff61d71acd6d59e1933f23e

SHA256
35b7e991495230a9c859fc5e6b1c22f0c925005134ed52f3a9b04277f662f660

SHA512
814afabcc768592dc87bce173f199c75dea106e91e8f9f0fb986224096e27b7aa914f04e87dfe7887d61bcaf44c13ff8c7979698ca16ccb87d9d018cb50d988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samarium.exe

Filesize
181KB

MD5
5cbb65314b5cf4a18828385914453ce1

SHA1
56387f3173fc9b4eaadb5ae353a3aede4374840c

SHA256
23d35dfacd515d03dcf2212dbaca080a926dc1633a9dfd084907439603fd9a09

SHA512
5ec7336e97439486a602a7aca600c9dde63040c46b65380be274680f103cad0e56dbec13a1ed2f6492d4d3b8888e5f4c447873fd24f1ea60405c6615d7384784

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scandium.exe

Filesize
228KB

MD5
75ee569c80a31bfd091508bd854bd6e7

SHA1
eeb10b3301fc3e8b935b79ca0ce5d950a166faf1

SHA256
fc9ed4a4ee7e7b9f269b19987d501e8e9330c1a1cee874ef6549409f42cbb91a

SHA512
0a0969c72adc1603f3e5195e73098561c87722b44c9594f6d1d9b8731215e4818fc6de7c837a3d20e3458c3ca9915b5579664468581bdc0ce065d4ddbb5cbeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solarizz.exe

Filesize
227KB

MD5
26e2d3ebad2d3b577931bf932ee87b27

SHA1
478ce3a13f9afbd1e1c99d20333a6793033db7d1

SHA256
e06bf9270db8f3095a2ac1996697dbd678b0a72591f0d5cfcc9b4fb385605f55

SHA512
22c08db5207df98fd6d3cd54c32ee164ad61de737951e036db3438a23c984f36695facbbbe228c528387a939388db3f9b915e9fc9e820a2537edf47e85f2b9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tellurium.exe

Filesize
291KB

MD5
cbbab9f20cbf02fb7924e705d178c15f

SHA1
afc6add01f8e20eef582b62c61db520b82b46124

SHA256
63443d33673cbad5ad059e7f64d46afdb673d795fa44675a9fc2a4031eb0cb24

SHA512
e4216e91405c4e8bef5d8389f29cb3f3b0bc7626447191f8bd080a2d3bdf077284221e17c6f2a40979c52bd49a7905022a5dcaaefb898659e732fa53ec956a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thorium.exe

Filesize
140KB

MD5
9a26953b860f1e2a8f439c700873e2d3

SHA1
6b15c4b946e3fc9c4572e1e2cebfd1e0bb156998

SHA256
0f163cb365a413a003c5066247f8a6c27f4ddd985a4958867f71e32870073444

SHA512
635ac0c7729743d85a8e38a647b9e1ce071c2c7b955978743a211cc531803556bfadcc98a9e24088d4ddc528ba4815243dc32bcf272e3e9ccbb5bde2844e8433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tungsten.exe

Filesize
186KB

MD5
6294123d96c4026fc6e16bbc7aca64d5

SHA1
1a98057381d92df8623614a5262446c630a9f716

SHA256
965d8fb142e1beee0fe8e29afdbcff8341c42278e0fab85dbac7be32c0e17ca2

SHA512
fbb3c89a7f4c0589301ea97bc359d3a80b45405992029b64db2c072275ee2fed766b53eb5fbc7516d66d718f1bbe87806c74b4942dbfd09660cc05c78b25572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yttrium.exe

Filesize
190KB

MD5
78a79bed8d2c9d559585cf6ac11de488

SHA1
adc47a7b4b3bfa97e2ee96a598f62ce08f943250

SHA256
58fa6a4ee412c8e22984f652fa50b0d280d8b1882461406aaad41c9ac80eca59

SHA512
62d0f2ab8b5511948d34ec046166ba1e1bc458818b3d43402b71fd189051593b514e37df5e25e060926fcd10643bf64d129083ec44b5b9c79252b1771be25a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\eee.bat

Filesize
39B

MD5
6fe443f7af62bf537006c478604a4b75

SHA1
d684f203af60129adc01b007d7968b6f873a471b

SHA256
10f619357a5d46d9c459f05c7ee1d500cf83b5efef4d36f5ba3522c382b6b479

SHA512
3cbdd7f07ddcfcdaa08c4cdc9b344aec38868c54fa4e88fb1baccb404154c18182f7085431b04d210054e67ccb447a7f70ea640a6aa7df4f492023cfce03f9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\haha.exe

Filesize
659KB

MD5
6c3817c553a44d2ab916aa4c0574cefc

SHA1
d8858d8140592a557748b711d6a856d0bda3dce3

SHA256
9d2d8b2f908c2c60e3d22d10654e8fd1f7b4116758f6957938791a6defa067d9

SHA512
58a31af89f9e39c5147f7df19f440a75f06b284cd754156bf9cfe18155946c1d34125830bca26d61de195796f00495e44d2b68058dfc7c58fcffb8eb37e751ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nomore.exe

Filesize
150KB

MD5
e8d7c22c43ecaa4f1a2d5ef0f577fd93

SHA1
0f83cbb6387cd4a4a2f1f105c2d21d2720fde6db

SHA256
45384f4c35211b1b462adf78100ccc03b47cdcc984c612711365bd45e633cf6a

SHA512
add9021ebf48b4d9bd1b8cf427719e2e789f85906173bf1e9576fbe907fcb44f90ad7d5ae256c4dff8e1c31e6b280f1d4ba9187eb2b136fb4420eb332b8c7bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\okay.vbs

Filesize
65B

MD5
9d25c1d1263305c79452fc12105fa936

SHA1
e47039052caab30829d42184d2c52f675347491a

SHA256
bb0cab8b3c22127957dd5605bf008eac97a0bc6c48f6c8b342bc988675de4b82

SHA512
7ed65a91e4f07558eb7c1bd1fc4bcd5e61dc5fa82e5ccb772de3c3cc889e1954aa63d50b0365c14f5ee31ee5b6655ca69428d8d38482a9717e13b7f4840f3a3b

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1040-185-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1308-285-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/1308-243-0x0000000005790000-0x0000000005D36000-memory.dmp

Filesize
5.6MB

Download
memory/1308-257-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/1308-228-0x00000000006F0000-0x000000000078A000-memory.dmp

Filesize
616KB

Download
memory/1308-286-0x0000000007A90000-0x0000000007B3A000-memory.dmp

Filesize
680KB

Download
memory/1308-254-0x00000000050F0000-0x000000000511C000-memory.dmp

Filesize
176KB

Download
memory/3252-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

Filesize
4KB

Download
memory/3252-284-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4640-170-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4640-288-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5044-287-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads