Malware Analysis Report

2025-04-13 12:21

Sample ID 250320-ne7cgavpt2
Target Nonagon.exe
SHA256 f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
Tags
dcrat gurcu phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Threat Level: Known bad

The file Nonagon.exe was found to be: Known bad.

Malicious Activity Summary

dcrat gurcu phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer

Dcrat family

Detect Umbral payload

Gurcu, WhiteSnake

Umbral family

Phemedrone

Umbral

Process spawned unexpected child process

DcRat

Phemedrone family

Gurcu family

DCRat payload

Uses browser remote debugging

Downloads MZ/PE file

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Reads data files stored by FTP clients

Modifies WinLogon

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies system certificate store

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 11:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 11:19

Reported

2025-03-20 11:19

Platform

win7-20240903-en

Max time kernel

7s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

Signatures

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarB9E4.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 11:19

Reported

2025-03-20 11:22

Platform

win10v2004-20250314-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe" C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
File created C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat C:\Program Files\WinRAR\RarExtPackage.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Phemedrone

stealer phemedrone

Phemedrone family

phemedrone

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Umbral family

umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Windows\debug\DebugTracker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\900323d723f1dd1206\wininit.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe" C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinRAR\RarExtPackage.exe C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\debug\wtf1.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\wtf.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\cs2.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\DebugTracker.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\DebugTracker.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\VUQLBafFd1oU7p3k.vbe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\wtf.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\cs2.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\__tmp_rar_sfx_access_check_240615531 C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\VUQLBafFd1oU7p3k.vbe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\wtf1.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\Windows\debug\DebugTracker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings C:\900323d723f1dd1206\wininit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A
N/A N/A C:\900323d723f1dd1206\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\debug\wtf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wtf1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\cs2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\DebugTracker.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\900323d723f1dd1206\wininit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 2220 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 2220 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 4644 wrote to memory of 1000 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4644 wrote to memory of 1000 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4644 wrote to memory of 1000 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4644 wrote to memory of 2596 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf1.exe
PID 4644 wrote to memory of 2596 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf1.exe
PID 4644 wrote to memory of 4796 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf.exe
PID 4644 wrote to memory of 4796 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf.exe
PID 4644 wrote to memory of 4748 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\cs2.exe
PID 4644 wrote to memory of 4748 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\cs2.exe
PID 4748 wrote to memory of 2068 N/A C:\Windows\debug\cs2.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4748 wrote to memory of 2068 N/A C:\Windows\debug\cs2.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 5068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 5068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2596 wrote to memory of 4156 N/A C:\Windows\debug\wtf1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2596 wrote to memory of 4156 N/A C:\Windows\debug\wtf1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 2204 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 2204 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2068 wrote to memory of 1184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

C:\Program Files\WinRAR\RarExtPackage.exe

"C:\Program Files\WinRAR\RarExtPackage.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"

C:\Windows\debug\wtf1.exe

"C:\Windows\debug\wtf1.exe"

C:\Windows\debug\wtf.exe

"C:\Windows\debug\wtf.exe"

C:\Windows\debug\cs2.exe

"C:\Windows\debug\cs2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb21efdcf8,0x7ffb21efdd04,0x7ffb21efdd10

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2520 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4356 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4680 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "

C:\Windows\debug\DebugTracker.exe

"C:\Windows\debug\DebugTracker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\60739cf6f660743813\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\900323d723f1dd1206\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\900323d723f1dd1206\wininit.exe

"C:\900323d723f1dd1206\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e4a125-9b4a-49fc-8ec8-43641589b74b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63484fd2-cc0c-437a-8dca-029601401384.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78fe4477-6363-43c8-830d-822294c19f09.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5920b758-0db8-4e60-a4b5-5d0cafff3a49.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdc366f3-d956-46f5-8a96-75a50e7fb5be.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f25c08-2e72-4904-abf9-ed12e1c747cb.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83cc516-2c68-4444-b388-30190a6fef64.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b73ef29-aa96-4b3e-ab18-842a2a9ab2fa.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb20cd01-d7f7-46a6-9daa-37b707a04837.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e7f3675-f4d0-4372-b282-590768ed2932.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45772f22-82b2-4762-9fbc-1f2ca13b0f00.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\043fbe65-92a2-47f3-bf76-f137551b617b.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdb0bdcc-6f51-4f63-bd5d-dd821d0187d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb009207-0c59-4ce8-a073-17e0c9d0ba2b.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73401d19-5e8f-4107-ad9d-efcb5a34cd30.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eff0443-8b45-4f73-a0d6-fae26f72b4a4.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4236966c-d054-471c-aafb-78e9d95c4757.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a82b3c0-6a7b-4491-a77c-d0246fec23fb.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98cac277-68e1-460d-b048-b20a80bdd10b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56847dce-39a1-483b-a26c-dd070ea9d2f0.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45d35053-3c2a-4f25-ae2b-279085ce5c58.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9046f11-e20c-47fa-9f0c-e4bfa0a9c481.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79da0592-8ae3-4d31-9ee8-f90b41c8bfde.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad9d84c-ccd3-4b08-bd74-670e26df31b9.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aa00f87-a53e-4079-83f5-b95d8477c7be.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\404399f8-68d2-418b-8985-c54f5af0d002.vbs"

C:\900323d723f1dd1206\wininit.exe

C:\900323d723f1dd1206\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a80c5036-c3b0-4dbf-85a5-fc61244e2f18.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f51b535-9b01-45a0-bbb5-c9164a1b83b2.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 utka.xyz udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 www.google.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.10:443 ogads-pa.googleapis.com udp
GB 142.250.179.238:443 apis.google.com udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 get.geojs.io udp
US 104.26.0.100:443 get.geojs.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp

Files

C:\Program Files\WinRAR\RarExtPackage.exe

MD5 84d934c68349e798f58a35df1f2f90c2
SHA1 be0974e4699ff06f52f0d5d380bc9cb8f0c50e19
SHA256 3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6
SHA512 83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

C:\Windows\debug\wtf1.exe

MD5 187795687849f43176bc94aff323435f
SHA1 22e3d510df771291a2a256946ac6268ccf5d10be
SHA256 d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e
SHA512 b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

MD5 f9ed37928a0d95692faa9f69d0cd5cb7
SHA1 77c2968f3d2ba8afb128307105861734b4fce286
SHA256 61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a
SHA512 cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

C:\Windows\debug\wtf.exe

MD5 47ba0b9187c62981c229372477e2b2a0
SHA1 9c861ee21eb30ec6aa35b02bd437f70c2ac25eee
SHA256 93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc
SHA512 2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

memory/2596-65-0x000001B6E49D0000-0x000001B6E4A10000-memory.dmp

memory/4796-66-0x0000024C14050000-0x0000024C14096000-memory.dmp

C:\Windows\debug\cs2.exe

MD5 509f2eeba11a964fa8d22ab6994cee78
SHA1 544321089bbc1cbc6e51eabcfcb0c042f797142c
SHA256 21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a
SHA512 f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

memory/4748-70-0x000001F9876E0000-0x000001F987708000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 406a765ad977e554922fa0af732bfe65
SHA1 f7ce2057999714963be09b46bd3849edfcfa3005
SHA256 b035f307a96e2532215fed3268b5c40e99cd79cdb44538a3b7c38520fe60f300
SHA512 4d6d4cc54761a597836de88cd4e5f8f234662b2b8b7f7121427fd9ceba9fe6465f0666541c05acd58d2ce3374292b7dfd8f4bc7a71ce013b1f969664ef11625f

\??\pipe\crashpad_2068_WZEHRYJPZBFHGWYG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

MD5 159dec09c9bf063b00e4952d8665a601
SHA1 38bac5d19ebd3822e23b07932cd65ba7c2c08a9c
SHA256 f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c
SHA512 5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

C:\Windows\debug\DebugTracker.exe

MD5 22cbb5402a44f058c9176e04aa74b5f6
SHA1 10838c4611974ba2a5382442677dcf679840ecdd
SHA256 5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a
SHA512 10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

memory/3272-127-0x0000000000510000-0x0000000000602000-memory.dmp

memory/3272-128-0x0000000002680000-0x000000000268A000-memory.dmp

memory/3272-129-0x0000000002690000-0x000000000269E000-memory.dmp

memory/3272-130-0x000000001B120000-0x000000001B128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat

MD5 07dfb2f2e90fd8c5eaa75af5983586a0
SHA1 6f6e44b4d36a9a2bfcae5f745d879f097f8e61f4
SHA256 7029b8df567e674983ade3310bb880859db18ac2a1e60ba4d639b00e8826bba7
SHA512 7f74026bee9ef7a71a27984647d79b8e8d70468ba1900a47596df9f0f0e300e1fb89680617bae184f664aa68f6b2ac1466b47acf4fcb575ef07c4e72de7427b1

C:\Users\Admin\AppData\Local\Temp\84e4a125-9b4a-49fc-8ec8-43641589b74b.vbs

MD5 0a8c65dc38835f8b167a4289eaca6664
SHA1 68d4f7789d5c1105969fd6987fc3d1e75b9876e9
SHA256 1d7234517828b20eac5b8ee4a731304940f58a99305cf3aa6df891dfcb20f6c9
SHA512 9499613faf88f45346709468b52ae66515bab9f7901f2b63e73acaceeb65e390fc6a535de042357cbb0eb63a3aaa614d28860662db165535c7f0f0c1dac87f5e

C:\Users\Admin\AppData\Local\Temp\63484fd2-cc0c-437a-8dca-029601401384.vbs

MD5 7f0f9f7c1e711043f14c6c2ed27bbd3c
SHA1 93f9b262b1b9caafd81a79f61a91baaffedf809e
SHA256 225aa29beb4760b24aee03133a9988ccd3953f9729b21a3ffa06a84c8840c4fb
SHA512 488920b2e70890278dab5072bb0d0d304e9d0d08a0ac7feb47a896cb064c25107c2bee7eba5abd1e0f7958576219fb4753000cfed3ecd492e74015f33705a4f4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 5cb90c90e96a3b36461ed44d339d02e5
SHA1 5508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA256 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA512 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

C:\Users\Admin\AppData\Local\Temp\78fe4477-6363-43c8-830d-822294c19f09.vbs

MD5 377b231ece995f5ac78b9d63e7101760
SHA1 8efafe9b5e7c580976e9b2f72b28fb5ea57a683c
SHA256 4de3938d0f4f4293b4a4e9a8bb45fbd7be2aa28225c85805f07fa925112c82c3
SHA512 2a36bd01aca4b89a57829378b1bee004c35f1a679cf73b1b94d7557ce0ae31ac5eeb4e039d5cf901ab061eb42fce1a018426ee07b0eff7caa6b39e20db74e9d4

C:\Users\Admin\AppData\Local\Temp\fdc366f3-d956-46f5-8a96-75a50e7fb5be.vbs

MD5 eae87e033dbcbe5bd1c1603b495320f6
SHA1 3424707914613d7de1f047dc16f043029f5f153b
SHA256 7a5daf72c15f707c29cbc575855b5ef54c94fa692bc0a04955bfa3e03e25e123
SHA512 f00e68b21e18aeefd6755129d86a444660b5ede02c21626781ae3175c364e4869b53d40afbd61afa3fc8b99f7d65a21b522eba2adb01767866e03593c8f5dc90

C:\Users\Admin\AppData\Local\Temp\a83cc516-2c68-4444-b388-30190a6fef64.vbs

MD5 2a335ce642c17ea2638fdd6fd051823e
SHA1 0b65d3bd364247014e29d9060e5cc76099fdbc18
SHA256 c8a0236707aa33630d5ded16dd10357461c71d3289cc528ecd1d338b1d33318d
SHA512 32e3a7107bccde2b13e23a34988168aa567230e5a11ceb56a00fdccb724cd053ec3108cb8a516e1949643ddd50e2a97e508fd3563b468d30aa7c5aa904401297

C:\Users\Admin\AppData\Local\Temp\cb20cd01-d7f7-46a6-9daa-37b707a04837.vbs

MD5 8978aee794b886ba7e7b5a6faba04040
SHA1 c1e8aa893d83f7a782ad24f7a9f8cc8ea61c2c20
SHA256 dc1f3be1c1644027084e191716c42e91a595adf49809dce7b76319d58efae1f4
SHA512 711515f68260f56e9dc73c105f4fd880fa746de469b35b7fd6b71f06701269645c724d43c3f02517863ebcf4a635312e8e03420f6f702e7605312d345764f645

C:\Users\Admin\AppData\Local\Temp\45772f22-82b2-4762-9fbc-1f2ca13b0f00.vbs

MD5 d08d11e4391e8e4083cd804039812a4a
SHA1 3dcd8c44ba1040fd596cd407d90f6b0ac086580f
SHA256 803e2128390d0157c93782f53a53f00547fdd9c8b1758d867f6a20fdff5b5cb0
SHA512 559b209ad65fac6730919ba7269a767d2a52c543370f31bfa7f452681b98cb7310a6c486210c08c3383cdeffbd45b0842e1a76b6372a0131ca0ed728164cafa6

C:\Users\Admin\AppData\Local\Temp\bdb0bdcc-6f51-4f63-bd5d-dd821d0187d0.vbs

MD5 711416665eef546f730380c0263c7a71
SHA1 317a39a6eb2994dbaa3f72bd4327366e9fc269fb
SHA256 96418babffceddf9fe79a766295846c253a1002c20eef4d6389cf0a2ef844fef
SHA512 f2a8be10a102e1fdbc67e4e789bea2232621bfe97e72d94c9993e86db8d2c94dc92e661729440ffa26401f5bd71a78c9d03d123b479c26bf094474b5a11c58b6

C:\Users\Admin\AppData\Local\Temp\73401d19-5e8f-4107-ad9d-efcb5a34cd30.vbs

MD5 44a25be7f72ea76f49bda9a23fe8d15f
SHA1 36a7a0be57ece3ca0ba0414d3c40d6b38581a62f
SHA256 861800ac9674b68062ac1201a395c10ce5e7c782588f76a7a7e1729efe8e89f7
SHA512 477b7734de880238b933afe7d6a916f1af95c92e9d2362448c7dd20845613c1eff161a1cf8637570ce620454343fdcd7af8834ea74935fb0af45c224768d2ab1

C:\Users\Admin\AppData\Local\Temp\4236966c-d054-471c-aafb-78e9d95c4757.vbs

MD5 571dce4e3317f21665e409be0ef37dea
SHA1 bf7f044d434e3cac76664968d82570556e2ffcf2
SHA256 7ac0e4d0e78bac8b9d4d1e0c00c11ec310810505a387cfa676cb350d4ad8ffd7
SHA512 3a00af589eebb5cc704fe2eea7f5c047b7c18196d09cc85a2268f7c7228650ab723fb30c78ee5b207ea1c4d8865562f9deb417826e6ea797856dfe3bc843ab08

C:\Users\Admin\AppData\Local\Temp\98cac277-68e1-460d-b048-b20a80bdd10b.vbs

MD5 3af007ccf18834352d7fff6a1cea2c8a
SHA1 6cbfa48128c919a5f9ebdd3d0f55337785cef6fb
SHA256 00ed1606c623df5e5f468028c7e18645269532a929f1fa40cb7192fd69181062
SHA512 7d795c3e33f1dca1c8f30f8a2e3d3b6c78440112aa17777b403aa3977e1a46f8e21831cc29f5e2ba1132ed1eb60501015f975d00dbf9ab79f59e0633a77b0a40

C:\Users\Admin\AppData\Local\Temp\45d35053-3c2a-4f25-ae2b-279085ce5c58.vbs

MD5 50d18e2e802f3b813b4a84852a425554
SHA1 2c52dc9c1beea7e082cd00a0e1a577b840d271d0
SHA256 00d9ca364983552b3da714d92deba448436513bca5caa47fae70f265d28491c1
SHA512 2d4c89d1bf161da230f4e20ef6368bd5747dc41c51556824b7cd5a662ebab1a876ce0cede919f70b69afe10e7f84ce338489eedd79980a2d7d528010e398f0db